VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-1910

CVE-2004-1910

Description

A long string passed to GetPrivateProfileString in rufsi.dll of Symantec Virus Detection causes a denial of service (crash) via a malicious web page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A long string passed to GetPrivateProfileString in rufsi.dll of Symantec Virus Detection causes a denial of service (crash) via a malicious web page.

Vulnerability

The rufsi.dll ActiveX control, part of the Symantec Virus Detection (Symantec Security Check), contains a vulnerability in the GetPrivateProfileString function. A remote attacker can cause a denial of service by passing an overly long string to this function. The vulnerable control is registered as Symantec.SymVAFileQuery.1. Affected versions include the control as distributed with the Symantec Security Check in 2004. [1][2]

Exploitation

An attacker can exploit this issue by hosting a malicious web page that instantiates the ActiveX control and calls the GetPrivateProfileString method with a long string argument. The user must visit this page with a browser that has the ActiveX control installed (i.e., after having previously run a Symantec Security Check scan). No authentication or user interaction beyond visiting the page is required. [1][2]

Impact

Successful exploitation results in a crash of the browser (denial of service). While the original report claimed remote code execution, Symantec contested that assertion and stated that only a process crash is possible. No arbitrary code execution is achievable. [2]

Mitigation

No official patch was released; Symantec considered the crash to be a low-risk issue. Users could mitigate the risk by disabling the ActiveX control or by not browsing untrusted sites after running the Symantec Security Check. Alternatively, the rufsi.dll could be unregistered. [2]

References
  1. 'Symantec Virus Detection(Free ActiveX) - Remote Buffer Overflow'
  2. 'Re: Symantec Virus Detection(Free ActiveX) - Remote Buffer Overflow, Apr 7'

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input-length validation in the `GetPrivateProfileString` function of `rufsi.dll` allows an overly long string parameter to corrupt memory and crash the control."

Attack vector

An attacker hosts a malicious web page that instantiates the `Symantec.SymVAFileQuery.1` ActiveX object via VBScript's `CreateObject` [ref_id=1]. The page then calls `GetPrivateProfileString` with a normal first argument (e.g. `"file"`) and an extremely long second argument (over 740,000 characters) [ref_id=1]. When a victim who has previously used Symantec Virus Detection visits the page, the overly long string causes the ActiveX control to crash, resulting in a denial of service [ref_id=1]. The researcher originally claimed remote code execution, but the vendor disputes that assertion while acknowledging the crash [ref_id=1].

Affected code

The vulnerable component is the ActiveX control `rufsi.dll`, specifically the COM object `Symantec.SymVAFileQuery.1` [ref_id=1]. The flaw resides in the `GetPrivateProfileString` function, which accepts two string parameters (`bstrSection` and `bstrKey`) [ref_id=1]. No patch is included in the bundle.

What the fix does

The bundle does not contain a patch or vendor advisory describing a fix. The only remediation guidance available is the vendor's dispute of the buffer-overflow claim, though they acknowledge a crash occurs [ref_id=1]. Without a published patch, users would need to disable or remove the `rufsi.dll` ActiveX control or restrict its use via browser security settings (e.g., setting the kill bit for the CLSID of `Symantec.SymVAFileQuery.1`).

Preconditions

  • configThe victim must have previously visited the Symantec Virus Detection page (http://security.symantec.com/sscv6/vc_scan.asp) so that rufsi.dll is installed and the COM object is registered.
  • configThe victim must use a browser that supports ActiveX and VBScript (typically Internet Explorer on Windows).
  • networkThe attacker must be able to serve a web page to the victim (e.g., via a malicious website or injected ad).
  • inputThe attacker supplies an overly long string (greater than 740,000 characters) as the second argument to GetPrivateProfileString.

Reproduction

1. Ensure the victim has visited `http://security.symantec.com/sscv6/vc_scan.asp` at least once so that `rufsi.dll` is installed and the COM object `Symantec.SymVAFileQuery.1` is registered [ref_id=1]. 2. Host an HTML page containing the VBScript PoC from the reference write-up [ref_id=1]. 3. When the victim opens the page in Internet Explorer, the script creates the ActiveX object and calls `GetPrivateProfileString "file", <very long string>` with a string exceeding 740,000 characters [ref_id=1]. 4. The browser or the ActiveX control crashes, causing a denial of service [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.