American technology company Symantec has issued patches that address several high-severity vulnerabilities found in its products.
In a blog post published on Tuesday, security researcher Tavis Ormandy doesn’t mince his words when describing the flaws:
“These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
One of the vulnerabilities (CVE-2016-2208) affects Symantec’s unpacker, which is based on the commercial packing software ASPack.
Most anti-virus companies run unpackers so that they can reverse the actions of packers, tools which change the appearance of what might be malicious files. This unpacking process helps security solutions accurately identify digital threats.
Symantec decided to run its unpacker in the kernel (or core) of its software, which means an attacker can exploit CVE-2016-2208 to produce kernel memory corruption on Windows or a clean heap overflow as root in the Symantec or Norton process on Linux, Mac, and other UNIX platform.
The vulnerability therefore allows an attacker to achieve remote code execution or to crash a system by targeting Symantec’s kernel component.
Ormandy notes this process doesn’t require any interaction on the part of the user:
“Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.”
He adds: “An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.”
Along with CVE-2016-2208, Ormandy discovered several stack buffer overflow and memory corruption issues. He also found that Symantec had used but failed to update a number of open source libraries for the past seven years.
Affected products include Norton Security, Advanced Threat Protection, Endpoint Protection, and others.
Symantec has issued its own advisory acknowledging the existence of these vulnerabilities. The advisory also contains information about product updates that address the flaws, as well as checks to its Secure Development LifeCycle that will help mitigate similar bugs in the future.
Many users will receive the product updates automatically, but some of the patches need to be implemented manually. As a result, Symantec users should read the advisory to make sure they are protected.