CVE-2009-3028

Name of the Vulnerable Software and Affected Versions Symantec Altiris Deployment Solution versions 6.9.x Symantec Notification Server versions 6.0.x Symantec Management Platform versions 7.0.x

Description The issue concerns an unsafe method exposed by the Altiris eXpress NS SC Download ActiveX control in AeXNSPkgDLLib.dll. This allows remote attackers to force the download of arbitrary files and possibly execute arbitrary code via the DownloadAndInstall method.

Recommendations For Symantec Altiris Deployment Solution versions 6.9.x, consider disabling the DownloadAndInstall method until a patch is available. For Symantec Notification Server versions 6.0.x, restrict access to the AeXNSPkgDLLib.dll library to minimize the risk of exploitation. For Symantec Management Platform versions 7.0.x, avoid using the DownloadAndInstall method in the affected ActiveX control until the issue is resolved.