Second Symantec Anti-Virus Bugfest FoundGoogle's Tavis Ormandy Finds More Flaws Exploitable via a Single Email
Google Project Zero researcher Tavis Ormandy has once again found significant vulnerabilities in Symantec's security products, a little more than a month after his last review (see Researcher Hacks Symantec's AV Via Email). And this time, the findings are just as bad.
Symantec has issued updates, most of which will install automatically using Symantec's LiveUpdate feature, but some require manual updating. The company says it isn't aware of active attacks, but administrators should get patching.
Ormandy took a close look at how Symantec's products handle executables that have been compressed to ensure those applications are not a security risk. Malware authors usually run their code through utilities called packers. The utilities are legitimate tools that compress executables, which can allow for faster downloading, but packed code is more tricky for security applications to analyze.
The challenge for security applications is that that compressed code needs to be unpacked. Ormandy writes that Symantec actually unpacks code right inside the kernel - the most sensitive part of the operating system that has full access rights to the entire machine - rather than using a much safer sandbox approach, for example.
He found a host of issues, including vulnerabilities that could be triggered by sending an email to someone or a link to an exploit. A file containing an exploit would not even have to be opened by the victim, meaning the attack essentially has worm-like capabilities, he writes.
Critical Flaws, Serious Risks
Ormandy warned of "potentially devastating consequences to Norton and Symantec customers."
"These vulnerabilities are as bad as it gets," Ormandy writes. "They don't require any user interaction, they affect the default configuration and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."
Symantec uses the same core anti-virus engine that's in its Endpoint Protection product across other lines, including Norton. A June 28 security advisory issued by the company lists 17 enterprise products and eight consumer and small business products that are affected, including - but not limited to - the following:
- Advanced Threat Protection
- Critical System Protection
- Data Center Server
- Embedded Systems Critical Security Protection
- Endpoint Protection for Linux and Mac
- Mail Security for Domino
- Mail Security for Microsoft Exchange
- Message Gateway and Message Gateway for Service Providers
- Protection Engine
- Protection for SharePoint Servers
- Web Security
Ormandy writes that one of the flaws, CVE-2016-2208, involves a buffer overflow when Symantec's anti-virus engine unpacks files that have been compressed with ASPack, which is commercial packing software.
"An attacker could easily compromise an entire enterprise fleet using a vulnerability like this, Ormandy writes. "Network administrators should keep scenarios like this in mind when deciding to deploy anti-virus, it's a significant tradeoff in terms of increasing attack surface."
Ormandy has long warned that anti-virus and other security programs often contain devastating flaws, and he has found issues in a range of products from vendors such as Kaspersky Lab, ESET, FireEye, Avira and Sophos. His research over the past couple of years has echoed what security analysts have said for some time: that security products may in some cases actually be the Achilles' heels of systems (see Yes Virginia, Even Security Software Has Flaws).