Norton Security for Mac - MITM SSL Certificate Vulnerability (CVE-2017-15528)
Overview
"Norton Internet Security for Mac protects your Mac from virus and malware via advanced scanning and detection technologies."
(https://us.norton.com/macintosh-internet-security)
Issue
The Norton Security for Mac stub installer below version 7.6, does not validate the SSL certificate it receives when connecting to the server used to download the main installer.
Impact
An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the stub installer will accept silently and could allow the download server to be spoofed.
Timeline
August 26, 2017 - Notified Symantec via secure@symantec.com
September 29, 2017 - Provided the vulnerability details to CERT/CC
October 9, 2017 - CERT/CC confirmed they received the report details
November 6, 2017 - Asked CERT/CC if Symantec provided an update on the status of the fix
November 20, 2017 - Symantec released version 7.6 of the stub installer
November 21, 2017 - CERT/CC published vulnerability note VU#681983
April 26, 2018 - Published an advisory to document the issue
Solution
Utilize Install Norton Security for Mac version 7.6 or greater
CVE-ID:
CVE-2017-15528
CERT/CC Report
https://www.kb.cert.org/vuls/id/681983