You don’t want to hear that the security product you are using to protect you has multiple critical vulnerabilities which put you at risk, but if you use Symantec/Norton then those holes are “as bad as it gets,” according to Google Project Zero security researcher Tavis Ormandy.
The security flaws “don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible,” Ormandy added on Project Zero. “In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
Ormandy’s post was published shortly after Symantec’s advisory which included 17 Symantec enterprise solutions and nine Norton products.
It doesn’t matter if it is Symantec’s enterprise security solution or a Norton-branded version for consumers, since the same flawed core engine is used across the entire product line; all “are affected by these vulnerabilities,” Ormandy wrote.
He hammered the point home by listing “Norton Security, Norton 360, and other legacy Norton products (All Platforms), Symantec Endpoint Protection (All Versions, All Platforms), Symantec Email Security (All Platforms), Symantec Protection Engine (All Platforms), Symantec Protection for SharePoint Servers, and so on.”
‘Wormable' flaw that requires no user interaction by the victim
An attacker could exploit one vulnerability in Symantec’s unpacker – which runs in the kernel – by “just emailing a file to a victim or sending them a link,” Ormandy wrote. “The victim does not need to open the file or interact with it in any way. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers. An attacker could easily compromise an entire enterprise fleet using a vulnerability like this.”
100% reliable remote exploit
Another vulnerability is “a 100% reliable remote exploit, effective against the default configuration in Norton Antivirus and Symantec Endpoint, exploitable just from email or the web.”
Affected products include, but are not limited to: “Norton Antivirus (Mac, Windows), Symantec Endpoint (Mac, Windows, Linux, UNIX), Symantec Scan Engine (All Platforms), Symantec Cloud/NAS Protection Engine (All Platforms), Symantec Email Security (All Platforms), Symantec Protection for SharePoint/Exchange/Notes/etc (All Platforms), all other Symantec/Norton Carrier, Enterprise, SMB, Home, etc antivirus products, and so on.” Ormandy added, “On Windows, this results in remote code execution as SYSTEM, and root on all other platforms.”
Symantec dropped the vulnerability management ball
Despite Symantec’s statement that it “takes the security and proper functionality of our products very seriously,” when it comes to vulnerability management, “Symantec dropped the ball.” Symantec’s decomposer library, for example, used code derived from open source libraries, but which hadn’t been updated in seven years. Ormandy posted the full list of Symantec/Norton vulnerabilities here.
The issues were reported to Symantec, which posted lengthy security advisories, but refuted Ormandy’s claim that some of the exploits are being used in attacks in the wild. Additionally, Symantec promised to make “additional checks” to its secure development lifecycle.
The bugs have been patched, which is mostly good news since customers’ software will be automatically updated. But Ormandy warned, that some of the products “cannot be automatically updated,” putting it on admins to “take immediate action to protect their networks.”
Symantec is far from the first and undoubtedly will not be the last security product picked apart by Ormandy and found to be full of holes. He previously found critical flaws in Comodo Antivirus, ESET, Kaspersky, FireEye, McAfee, Avira, TrendMicro and more.