Looks like Symantec have finally fixed some security issues I raised with them back in January 2012 for Symantec Message Filter 6.3.
It took them 6-months - so I am not impressed with their patching-cycle, or their focus on IT Security generally (this is supposed to be a security product after all).
Basically, as I described at BlackHat EU back in May 2012, this product-installer had versions of Tomcat and MySQL which were 7 years old, with default content and no patches (so the product had well-known third-party exploits right out of the box).
Additionally (which I felt I couldn't describe at the time, because it was 0-day) there were session-management and information-disclosure issues in the administrative UI, plus Cross Site Request Forgery (CSRF) of administrative-functions and XSS.
More detail is here:
The CVEs are: