14 DAY TRIAL // Tavis Ormandy, a member of Google's Project Zero initiative, has discovered a series of vulnerabilities in Symantec's security products. Due to the nature of these flaws, they affect a large number of Symantec products, and not all can be patched via automatic updates.
"These vulnerabilities are as bad as it gets," Ormandy writes on Google's blog. "They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."
The vulnerable code to which Ormandy is referring is part of ASPack, a commercial packing software piece that Symantec uses to analyze files scanned for malware.
Running code in the kernel is always a bad idea
Ormandy says that Symantec's mistake was to run this component in the operating system's kernel, under the highest privilege available. A vulnerability in this component gives the attacker a golden ticket to full control over the system, without the need for a second-stage exploit to escalate their access.
Besides this main issue, CVE-2016-2208, the researcher also claims he found multiple stack buffer overflows and memory corruption issues.
The researcher also discovered that Symantec had used open source libraries in its products, such as libmspack and unrarsrc, but forgot to update them for the past seven years. An attacker would only need to employ one of the publicly known issues for these tools.
Exploitation is trivial, bugs affect multiple products, on all platforms
Exploitation of some of these issues is trivial, according to Ormandy, who says that some don't require user interaction, and some are even wormable, being able to spread to other nearby devices on their own.
An attacker would only need to send an email to the target containing a malicious file that exploits one of these issues. Additionally, the attacker could host their exploit code online and embed a link to the malicious URL inside the email.
The list of affected products includes a large number of older, legacy Norton products, Symantec Endpoint Protection, Symantec Email Security, Symantec Protection Engine, Symantec Protection for SharePoint Servers, and many other more. In all cases, the vulnerabilities are cross-platform. Symantec has released patches for all affected products.
In May, Ormandy helped Symantec plug another security hole in its product. Besides Symantec, in the past, the researcher found bugs in the software of security vendors such as FireEye, ESET, Kaspersky, Bromium, Trend Micro, Comodo, Malwarebytes, Avast, and AVG.