Google security researcher Tavis Ormandy has unearthed a slew of critical vulnerabilities, including many remote code execution flaws, in Symantec and Norton enterprise and consumer AV products.
The flaws affect the core engine deployed in the products and are, according to Ormandy, “as bad as it gets.”
“They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption,” he noted.
The latter is possible because Symantec runs executable file unpackers directly in the kernel.
One of the vulnerabilities (CVE-2016-2208), a trivial buffer overflow, can lead to kernel memory corruption on Windows machines, and can be triggered by the victim simply receiving (and not opening) a specially crafted file or link via email.
“Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers. An attacker could easily compromise an entire enterprise fleet using a vulnerability like this,” Ormandy pointed out.
“Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.”
More details about the flaws can be found here and here, along with code for some of the exploits.
The vulnerabilities have been fixed by Symantec, and for some products will be implemented automatically, along with the latest definition updates. But for the rest, admins have to check for the updates, download them and install them manually (see Symantec’s security advisory for details).
Ormandy is known for his research into the security of security products, and has previously discovered critical flaws in solutions by many high-profile vendors such as Comodo, Trend Micro, Kaspersky and FireEye.