UPDATED 23:50 EDT / JUNE 29 2016

NEWS

Google’s Project Zero exposes massive security issues in Symantec software

In a withering takedown of one of the most popular enterprise security applications firms, a researcher from Google, Inc.’s Project Zero security team has exposed critical flaws across a range of products from Symantec, Inc., including Norton Anti-Virus.

The exposure of the flaws came from Project Zero’s Tavis Ormandy who described the flaws as being “are as bad as it gets.”

“They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible,” Ormandy wrote. “In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”

Ormandy then warned that the vulnerability is unusually easy to exploit, allowing them to spread virally from machine to machine over a targeted network or even over the internet as a whole.

He explained that the flaw comes from the way Symantec software uses a filter driver:

Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.

An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.

The problem comes down to a flaw that resides in the engine of Symantec software that is used to reverse the compression tools malware developers user to conceal malicious payloads. These “unpackers” parse code contained in files before being allowed to be downloaded or executed.

Because Symantec runs these unpackers in the operating system kernel, errors created can allow attackers to gain complete control over a machine.

Affected products include:

  • Norton Security, Norton 360, and other legacy Norton products (all platforms)
  • Symantec Endpoint Protection (all versions, all platforms)
  • Symantec Email Security (all platforms)
  • Symantec Protection Engine (all platforms)
  • Symantec Protection for SharePoint Servers

Roasting

Ormandy did not hold back in the least in roasting Symantec for the flaws, adding that “Antivirus vendors solve this problem with two solutions. First, they write dedicated unpackers to reverse the operation of the most common packers, and then use emulation to handle less common and custom packers.”

Symantec responded to the exposure by issuing a security notice detailing the issue, but it is not clear at the time of writing as to whether they have actually addressed the vulnerability at hand.

Image credit: mmckeay/Flickr/CC by 2.0

 


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU