NEWS
NEWS
NEWS
Google’s Project Zero exposes massive security issues in Symantec software
In a withering takedown of one of the most popular enterprise security applications firms, a researcher from Google, Inc.’s Project Zero security team has exposed critical flaws across a range of products from Symantec, Inc., including Norton Anti-Virus.
The exposure of the flaws came from Project Zero’s Tavis Ormandy who described the flaws as being “are as bad as it gets.”
“They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible,” Ormandy wrote. “In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
Ormandy then warned that the vulnerability is unusually easy to exploit, allowing them to spread virally from machine to machine over a targeted network or even over the internet as a whole.
He explained that the flaw comes from the way Symantec software uses a filter driver:
Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.
An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.
The problem comes down to a flaw that resides in the engine of Symantec software that is used to reverse the compression tools malware developers user to conceal malicious payloads. These “unpackers” parse code contained in files before being allowed to be downloaded or executed.
Because Symantec runs these unpackers in the operating system kernel, errors created can allow attackers to gain complete control over a machine.
Affected products include:
- Norton Security, Norton 360, and other legacy Norton products (all platforms)
- Symantec Endpoint Protection (all versions, all platforms)
- Symantec Email Security (all platforms)
- Symantec Protection Engine (all platforms)
- Symantec Protection for SharePoint Servers
Roasting
Ormandy did not hold back in the least in roasting Symantec for the flaws, adding that “Antivirus vendors solve this problem with two solutions. First, they write dedicated unpackers to reverse the operation of the most common packers, and then use emulation to handle less common and custom packers.”
Symantec responded to the exposure by issuing a security notice detailing the issue, but it is not clear at the time of writing as to whether they have actually addressed the vulnerability at hand.
Image credit: mmckeay/Flickr/CC by 2.0
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
