Second Symantec Anti-Virus Bugfest Found

Google's Tavis Ormandy Finds More Flaws Exploitable via a Single Email
Second Symantec Anti-Virus Bugfest Found

Google Project Zero researcher Tavis Ormandy has once again found significant vulnerabilities in Symantec's security products, a little more than a month after his last review (see Researcher Hacks Symantec's AV Via Email). And this time, the findings are just as bad.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

Symantec has issued updates, most of which will install automatically using Symantec's LiveUpdate feature, but some require manual updating. The company says it isn't aware of active attacks, but administrators should get patching.

Ormandy took a close look at how Symantec's products handle executables that have been compressed to ensure those applications are not a security risk. Malware authors usually run their code through utilities called packers. The utilities are legitimate tools that compress executables, which can allow for faster downloading, but packed code is more tricky for security applications to analyze.

The challenge for security applications is that that compressed code needs to be unpacked. Ormandy writes that Symantec actually unpacks code right inside the kernel - the most sensitive part of the operating system that has full access rights to the entire machine - rather than using a much safer sandbox approach, for example.

He found a host of issues, including vulnerabilities that could be triggered by sending an email to someone or a link to an exploit. A file containing an exploit would not even have to be opened by the victim, meaning the attack essentially has worm-like capabilities, he writes.

Critical Flaws, Serious Risks

Ormandy warned of "potentially devastating consequences to Norton and Symantec customers."

"These vulnerabilities are as bad as it gets," Ormandy writes. "They don't require any user interaction, they affect the default configuration and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."

Symantec uses the same core anti-virus engine that's in its Endpoint Protection product across other lines, including Norton. A June 28 security advisory issued by the company lists 17 enterprise products and eight consumer and small business products that are affected, including - but not limited to - the following:

  • Advanced Threat Protection
  • Critical System Protection
  • CSAPI
  • Data Center Server
  • Embedded Systems Critical Security Protection
  • Endpoint Protection for Linux and Mac
  • Mail Security for Domino
  • Mail Security for Microsoft Exchange
  • Message Gateway and Message Gateway for Service Providers
  • Protection Engine
  • Protection for SharePoint Servers
  • Web Security

Ormandy writes that one of the flaws, CVE-2016-2208, involves a buffer overflow when Symantec's anti-virus engine unpacks files that have been compressed with ASPack, which is commercial packing software.

"An attacker could easily compromise an entire enterprise fleet using a vulnerability like this, Ormandy writes. "Network administrators should keep scenarios like this in mind when deciding to deploy anti-virus, it's a significant tradeoff in terms of increasing attack surface."

Ormandy has long warned that anti-virus and other security programs often contain devastating flaws, and he has found issues in a range of products from vendors such as Kaspersky Lab, ESET, FireEye, Avira and Sophos. His research over the past couple of years has echoed what security analysts have said for some time: that security products may in some cases actually be the Achilles' heels of systems (see Yes Virginia, Even Security Software Has Flaws).


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a 20-year veteran journalist who has reported from more than a dozen countries. An expat American now based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked for 10 years from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network