Network Security, Patch/Configuration Management, Vulnerability Management

Vulnerabilities in Symantec products create worst-case scenario; users urged to update

Share

Using ominous turns of phrase like “As bad as it gets” and “100 percent reliable exploit,” Google Project Zero researcher Tavis Ormandy yesterday issued an at-times scathing analysis of eight vulnerabilities he discovered across the entire Symantec-Norton security product line.

Symantec also issued its own security advisory as well, noting that these vulnerabilities – most of which are of critical severity – primarily involve the parsing of malicious container files, which “may cause memory corruption, integer overflow or buffer overflow in Symantec's decomposer engine.”

Ormandy didn't mince words when describing why these flaws are so grave: “They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible,” he wrote in his blog post.

Moreover, if exploited, they could result in denial of service attacks, arbitrary code execution, privilege escalation and kernel-level control of a machine. While Symantec addressed some of these flaws via automatic upgrades, other products require users and administrators to initiate the update, which is highly advised.

Among the key problems raised by Ormandy is the way Symantec (and other antivirus vendors, for that matter) manages executable code that arrives packed, or compressed. Packing is sometimes used to obfuscate malware, so AV solutions rely on unpackers to restore unknown files back to their original form. Unfortunately, one of Symantec's unpacking software programs has a trivial buffer overflow vulnerability that can be exploited simply by sending a crafted email with a malicious file or link. The recipient need not even open the file or interact with it to be affected. Worse, because Symantec runs its unpackers inside a machine's kernel, the resulting memory corruption is triggered at the kernel level.

“…This is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers,” wrote Ormandy in his analysis. “An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy antivirus. It's a significant trade-off in terms of increasing attack surface.”

Emphasizing the need for antivirus vendors to perform responsible vulnerability management, Ormandy wrote that Symantec “dropped the ball here. A quick look at the decomposed library shipped by Symantec showed that they were using code derived from open-source libraries… but hadn't updated them in at least seven years.”

In its own advisory, Symantec more specifically referred to the eight vulnerabilities as an RAR decompression memory access violation, a Dec2SS buffer overflow, a Dec2LHA buffer overflow, a CAB decompression memory corruption, a MIME message modification memory corruption, a TNEF integer overflow, and a ZIP decompression memory access violation.

Asked for further comment, Symantec directed SCMagazine.com to its official blog, which yesterday published a statement authored by VP of security technology and response Adam Bromwich, which included the following: “Symantec has not seen evidence of any of these vulnerabilities being exploited in the wild. More importantly, fixes are currently in place and updates are now available for customers to install.”

Vulnerabilities in Symantec products create worst-case scenario; users urged to update

Google Project Zero researcher Tavis Ormandy yesterday issued an at-times scathing analysis of eight vulnerabilities he recently discovered across the entire Symantec-Norton product line.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.