Tavis Ormandy returns with new Symantec security holes

Sep 21, 2016 08:10 GMT  ·  By

Symantec has released updates for its products to address two security issues that allowed an attacker to create a Denial-of-Service (DoS) state and shut down its security software via malicious RAR files.

Google security researcher Tavis Ormandy discovered the issues and reported them to the antivirus maker. Both are exploitable via malicious RAR files.

Bugs are easy to weaponize

Most security software these days include support for scanning files in transit or which arrive on the user's PC. This includes the ability to sniff archived content, may it be in RAR, ZIP, or other archive software.

All security software will unpack the archive and analyze the files found inside. If the RAR file contains malicious code inside its header, it can cause Symantec's software to crash due to an out-of-bounds read error (CVE-2016-5309) or memory corruption (CVE-2016-5310).

"This may cause an application-level denial of service condition but does not allow any additional exploit opportunities," Symantec explains in its advisory.

Bugs expose underlying systems to hacking

While the Symantec products aren't prone to "additional exploit opportunities," this doesn't exclude exploitation of the underlying system, which is left without protection. An attacker employing these bugs is most likely trying to shut down the user's security products, not exploit them.

Furthermore, the bugs are easy to weaponize. The attacker only has to send an email to the user with the malicious RAR file attached, or trick them into accessing a Web page linking to the RAR file.

A large number of Symantec products are affected, such as the company's flagship product, the Symantec Endpoint Protection (for Mac, Linux, and Windows), Symantec Endpoint Protection Cloud (SEPC) (for Mac and Windows), Symantec Protection Engine, Symantec Web Gateway, and many of its other enterprise and server solutions.

The company has addressed all issues with patches. Some of these have already been delivered via the company's LiveUpdate feature.

This is the third time Ormandy helps Symantec secure its products after it helped the company patch other security issues in both May and June 2016.

On Twitter, the Google security researcher did not agree with Symantec's assessment of his bugs as DoS issues, saying they were RCEs (Remote Code Execution). The researcher also released proof-of-concept code.