- Symantec fixed the issues informed by Ormandy and asked users to update
- Issues could have allowed hackers to control OS without user interaction
- Symantec uses the same core engine across their entire product line
Google Project Zero member and security researcher Tavis Ormandy published a blog on Wednesday detailing major security flaws found in nearly 25 of Norton and Symantec’s products being sold to both enterprises and customers.
Ormandy said multiple security flaws were found, including “wormable remote code execution flaws.” On his Google Project Zero blog post, Ormandy said, “These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
Further explaining, Ormandy said the vulnerabilities could allow hackers to corrupt a computer’s memory as well as gain control over its operating system without the user even opening a malware-wrapped mail or a dangerous link. “Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway,” he added.
“As Symantec use the same core engine across their entire product line, all Symantec and Norton branded antivirus products are affected by these vulnerabilities,” Ormandy said in his blog, referring to the Symantec AntiVirus Decomposer engine.
Symantec, however, has fixed the issues with its products after they were informed about the flaws by Ormandy – who published the blog post a day after the fixes were released. While most products will be updated automatically, several enterprise products will require administrators to effect fixes themselves. Symantec has issued a warning to its customers and explained how they can update their products.
In its security response post, Symantec highlights the affected products and the solution implemented. In the post, the company said, “Symantec is aware of buffer overflow and memory corruption findings in the AntiVirus Decomposer engine used in various configurations by multiple Symantec products.” The post added, “Symantec has verified these issues and addressed them in product updates as identified in the solution portion of the affected products matrix above. We have also added additional checks to our Secure Development LifeCycle to mitigate similar issues in future… Symantec is not aware of these vulnerabilities being exploited in the wild.”
Google Project Zero team is a group of security analysts that aims to improve overall security of computers and informs the manufacturer of the products about their flaws before releasing it to public. The team usually waits for the patch to come out before releasing the details about the flaws. However, if a patch is not released for 90 days post intimation (plus a two-week grace period), the team releases the details to the public. In this case, Ormandy helped the company create fixes by making a “100 percent reliable exploit” for them.
The release is likely to hurt the reputation of Symantec and its Norton Antivirus brand in particular. Ormandy in his blog post also criticises the development process at Symantec, specifically its vulnerability management, which is meant to monitor updates released for third party software. “Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries like libmspack and unrarsrc, but hadn’t updated them in at least 7 years… Dozens of public vulnerabilities in these libraries affected Symantec, some with public exploits. We sent Symantec some examples, and they verified they had fallen behind on releases.”
On June 13, Symantec announced its plans to buy privately held cyber-security company Blue Coat for $4.65 billion (roughly Rs. 31,165 crores) in a cash deal that to enhance Symantec’s enterprise security business.
The announcement came as a surprise to the industry as the amount for the deal was more than Symantec’s revenue for the entire last fiscal year i.e. $3.6 billion (Rs. 24,336 crores).