GOOGLE'S PROJECT ZERO security group has published details of what it describes as a series of critical vulnerabilities in Symantec's Norton Antivirus product that "are as bad as it gets".
"They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption," said Project Zero's Tavis Ormandy in a blog post.
Frightened? You should be. Symantec uses the same core engine across all its antivirus products, including:
- Norton Security, Norton 360, and other legacy Norton products (all platforms)
- Symantec Endpoint Protection (all versions, all platforms)
- Symantec Email Security (all platforms)
- Symantec Protection Engine (all platforms)
- Symantec Protection for SharePoint Servers
Some of these products cannot be updated automatically, and administrators must take immediate action to protect their networks. Symantec has also been so kind as to publish some security advisories for its customers.
Ormandy roasted Symantec for the flaws. For example, antivirus software typically has dedicated unpackers to get round the problem of software ‘packers' that compress executables.
"This causes a problem for antivirus products because it changes how executables look," he said.
"Antivirus vendors solve this problem with two solutions. First, they write dedicated unpackers to reverse the operation of the most common packers, and then use emulation to handle less common and custom packers."
The problem with both of these solutions, according to Ormandy, is that they're hugely complicated and prone to vulnerabilities, making it "extremely challenging" to make code like this safe.
"We recommend sandboxing and a security development lifecycle, but vendors will often cut corners here. Because of this, unpackers and emulators continue to be a huge source of vulnerabilities," he said.
Other security companies have been whacked for cutting corners here, including Comodo, ESET, FireEye and Kaspersky, but Symantec runs its unpackers in the kernel of the operating system.
Flaws or carefully crafted attacks can therefore lead to catastrophic buffer overflows. This results in kernel memory corruption in Windows.
"Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it. The victim does not need to open the file or interact with it in anyway," warned Ormandy.
"Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers. An attacker could easily compromise an entire enterprise fleet using a vulnerability like this."
Project Zero typically hunts down zero-day flaws in everyday software and gives the providers 90 days to release fixes before publishing them.
Symantec has already rushed out patches for the flaws identified by Project Zero, but Ormandy probably couldn't wait to write about them.
C3-PO, R2-D2, BB-8 and other Androids
Helpful cyber vigilante gets short changed by customer services
...you know, now it's less confusing...
Firm will no longer provide updates for its first Android mobe