Serious Vulnerabilities In Symantec Products Are ‘As Bad As It Gets’

Researchers at Google’sProject Zero team have uncovered what it says are a series of critical vulnerabilities in Symantec’s antivirus products that are “as bad as it gets”, claiming the company really “dropped the ball.”

Flaws were found in Symantec’s core engine which is shared across a range of Symantec and Norton security products, including Norton Security; Symantec Endpoint Protection; Symantec Email Security; Symantec Protection Engine; and Symantec Protection for SharePoint Servers.

Symantec products across all platforms are said to be affected.

Harsh Criticism

“Today we’re publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws,” said Project Zero’s Tavis Ormandy. “These vulnerabilities are as bad as it gets.

“They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”

And he warned that while some of the affected programs cannot be automatically updated, which means that system administrators must take immediate action to protect their networks.

Symantec meanwhile has fixed the flaws and has published advisories for its customers, available here.

The tone of Ormandy’s blog post is unusually harsh and he pulled no punches when describing the flaws in Symantec’s products, and said the vendor had “cut corners” when it decided to use unpackers in the kernel.

And Ormandy slated Symantec for failing to conduct vulnerability management.

“Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries like libmspack and unrarsrc, but hadn’t updated them in at least 7 years.”

“Dozens of public vulnerabilities in these libraries affected Symantec, some with public exploits. We sent Symantec some examples, and they verified they had fallen behind on releases.”

Point Scoring?

The tone of Project Zero may raise some eyebrows in security circles, but Project Zero has had something of a controversial past.

It won little friends when it decided to automatically publish zero-day vulnerabilities discovered after 90 days, even if the vendor had not published a fix.

Microsoft hit out at Google for publishing details of two vulnerabilities arguing that such disclosures harmed end users by offering attackers information about potential flaws that could be exploited.

Google’s Project Zero security team also ruffled the feathers of Apple after it went public with a number of flaws with Apple’s Mac OS X operating system, after the iPad maker failed to respond with fixes.

In February 2015, Project Zero pledged to offer up to two weeks grace if a vendor notifies the search giant that a patch is in the works.

Are you a security pro? Try our quiz!