Norton Security for Mac - MITM SSL Certificate Vulnerability (CVE-2017-15528)


"Norton Internet Security for Mac protects your Mac from virus and malware via advanced scanning and detection technologies."



The Norton Security for Mac stub installer below version 7.6, does not validate the SSL certificate it receives when connecting to the server used to download the main installer.


An attacker who can perform a man in the middle attack may present a bogus SSL certificate which the stub installer will accept silently and could allow the download server to be spoofed.


August 26, 2017 - Notified Symantec via
September 29, 2017 - Provided the vulnerability details to CERT/CC
October 9, 2017 - CERT/CC confirmed they received the report details
November 6, 2017 - Asked CERT/CC if Symantec provided an update on the status of the fix
November 20, 2017 - Symantec released version 7.6 of the stub installer
November 21, 2017 - CERT/CC published vulnerability note VU#681983
April 26, 2018 - Published an advisory to document the issue


Utilize Install Norton Security for Mac version 7.6 or greater



CERT/CC Report


Contact Information