14 DAY TRIAL // In the wake of the zero-day threats in Symantec Endpoint Protection (SEP) suite presented by the Offensive Security team this week, Symantec has released an advisory for avoiding the risks of compromise.
The problem appears to impact the Application and Device Control component in the suite, and the developer says that it received no reports of compromise.
However, should the vulnerability be exploited, the consequences range from crashing the client to creating a denial of service condition and even escalation to administrator privileges and gaining control of the affected system, which was also the point made by Offensive Security in a video demonstrating the success of their exploit.
Symantec also points out that the flaw is considered to have medium severity and cannot be manipulated remotely.
All versions of SEP clients 11.x and 12.x running Application and Device Control component are vulnerable.
At the moment, there are no patches for removing the issue, but Symantec offers solutions for mitigating the risk on the affected versions of the client
In the case of 12.x, one way to avoid exploitation is to disable the driver of the vulnerable component (Application and Device Control); another is to remove the component completely by uninstalling it.
On systems with version 11.x of SEP installed, the only solution provided by the developer is to withdraw the Application and Device Control policy; a restart is required for the modification to take effect.
This flaw may not be of critical nature, but the simple fact that it exists in software designed to protect a computer system is quite worrying.
A security researcher from Singapore-based Coseinc, a private company that offers information security services, made a presentation on the flaws available in multiple security products for consumers.
In his presentation at the SysScan 360 security conference, Joxean Koret exposed how he managed to find dozens of vulnerabilities exploitable both locally and remotely, using a fuzzing test tool of his own making.
Some of the glitches discovered would allow escalation of privileges and execution of arbitrary code.
His opinion is that an antivirus product installed on a computer actually increases the attack surface, because such applications run with the highest privileges.
“If your application runs with the highest privileges, installs kernel drivers, a packet filter and tries to handle anything your computer may do...Your attack surface dramatically increased,” he said at the conference.
However, from the slides of the presentation, it appears that Symantec’s products were not tested by Koret.