Critical security vulnerabilities have been found within Symantec and Norton products are “as bad as they get,” according to security researchers.
On Tuesday, Google’s bug-hunting Project Zero team disclosed multiple critical flaws found within Symantec’s core engine, used as the backbone of both consumer and enterprise security products.
According to the tech giant, the use of Symantec’s core engine across its full product line, alongside Norton-branded products, has the potential to cause devastation for consumers and the enterprise alike.
Project Zero security researcher Tavis Ormandy said:
“These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible.
In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
The bugs have risen due to a number of problems. One vulnerability, CVE-2016-2208, has been made possible as Symantec runs unpackers in the Kernel, and a “trivial” buffer overflow escalates to a Windows-based kernel memory corruption bug and potential remote code execution.
No user interaction is required to exploit this issue as just “emailing a file to a victim or sending them a link to an exploit is enough to trigger it,” according to Ormandy.
In addition, a “100 percent reliable” critical return-oriented programming (ROP) exploit can also be used against the core engine to damage versions of Symantec software on all platforms, affecting software with default configuration in Norton Antivirus and Symantec Endpoint. This issue is also exploitable just from email or the web.
These vulnerabilities impact not only Symantec’s flagship enterprise product, Symantec Endpoint Protection, but also Norton Security, Norton 360, and other legacy Norton products, Symantec Email Security, Symantec Protection Engine and Symantec Protection for SharePoint Servers, among others.
The team says that all versions on all platforms are impacted, and so if exploited, could have proven to be catastrophic Symantec, which is well-known as an enterprise and consumer security vendor.
The bugs in question are shocking to find in software meant to protect you. Not only could such problems result in Symantec taking a knock to reputation, but cyberattackers could gain entrance to corporate networks or hijack personal systems with the firm’s antivirus products installed.
However, Symantec needs to take a lesson from this — as a closer look also revealed outdated libraries in use which could expose the software to attack through well-known, public exploits.
“Symantec dropped the ball here,” Ormandy notes. “A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries like libmspack and unrarsrc, but hadn’t updated them in at least seven years.
Dozens of public vulnerabilities in these libraries affected Symantec, some with public exploits. We sent Symantec some examples, and they verified they had fallen behind on releases. “
Symantec posted an advisory confirming the existence of these vulnerabilities but insists the firm is not aware of any exploits in the wild leveraging the flaws.
Fixes have been included in product updates, and “additional checks” have been added to the vendor’s security cycle systems to prevent this happening again.
The tale of woe isn’t finished there. Some of these products cannot be automatically updated, and so administrators need to check product update processes and take action now to prevent these security flaws being exploited.