Using ominous turns of phrase like “As bad as it gets” and “100 percent reliable exploit,” Google Project Zero researcher Tavis Ormandy yesterday issued an at-times scathing analysis of eight vulnerabilities he discovered across the entire Symantec-Norton security product line.
Symantec also issued its own security advisory as well, noting that these vulnerabilities – most of which are of critical severity – primarily involve the parsing of malicious container files, which “may cause memory corruption, integer overflow or buffer overflow in Symantec's decomposer engine.”
Ormandy didn't mince words when describing why these flaws are so grave: “They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible,” he wrote in his blog post.
Moreover, if exploited, they could result in denial of service attacks, arbitrary code execution, privilege escalation and kernel-level control of a machine. While Symantec addressed some of these flaws via automatic upgrades, other products require users and administrators to initiate the update, which is highly advised.
Among the key problems raised by Ormandy is the way Symantec (and other antivirus vendors, for that matter) manages executable code that arrives packed, or compressed. Packing is sometimes used to obfuscate malware, so AV solutions rely on unpackers to restore unknown files back to their original form. Unfortunately, one of Symantec's unpacking software programs has a trivial buffer overflow vulnerability that can be exploited simply by sending a crafted email with a malicious file or link. The recipient need not even open the file or interact with it to be affected. Worse, because Symantec runs its unpackers inside a machine's kernel, the resulting memory corruption is triggered at the kernel level.
“…This is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers,” wrote Ormandy in his analysis. “An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy antivirus. It's a significant trade-off in terms of increasing attack surface.”
Emphasizing the need for antivirus vendors to perform responsible vulnerability management, Ormandy wrote that Symantec “dropped the ball here. A quick look at the decomposed library shipped by Symantec showed that they were using code derived from open-source libraries… but hadn't updated them in at least seven years.”
In its own advisory, Symantec more specifically referred to the eight vulnerabilities as an RAR decompression memory access violation, a Dec2SS buffer overflow, a Dec2LHA buffer overflow, a CAB decompression memory corruption, a MIME message modification memory corruption, a TNEF integer overflow, and a ZIP decompression memory access violation.
Asked for further comment, Symantec directed SCMagazine.com to its official blog, which yesterday published a statement authored by VP of security technology and response Adam Bromwich, which included the following: “Symantec has not seen evidence of any of these vulnerabilities being exploited in the wild. More importantly, fixes are currently in place and updates are now available for customers to install.”