Many users and businesses rely on a third party anti-virus tools to secure their computer systems from viruses and malware. Google’s Project Zero team, the company’s team of security analysts tasked with finding zero-day exploits, have published details of “multiple critical vulnerabilities” they’ve discovered in Symantec and Norton products. According to the team, the Symantec and Norton vulnerabilities “are as bad as it gets.”
These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.
Many of Symantec’s products use the same core engine, and as a result all of their enterprise security products (17 total) and consumer products (8 total) sold under the Norton brand are affected. Affected products include:
- Norton Security, Norton 360, and other legacy Norton products (All Platforms)
- Symantec Endpoint Protection (All Versions, All Platforms)
- Symantec Email Security (All Platforms)
- Symantec Protection Engine (All Platforms)
- Symantec Protection for SharePoint Servers
- and so on…
While some of the products have been updated through Norton’s LiveUpdate system, there are quite a few Symantec enterprise products that need to be manually updated. Symantec has released an advisory with a full list of affected products (the list is quite long and extensive) and how to update them.
The vulnerability is within Symantec’s executable file unpacker, which is used to reverse executable files that are packed to reduce their file size, as well as in their decomposer library which is used to extract document metadata and embedded macros from files, such as Microsoft Office and Powerpoint files.
Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.
The emphasis in the above quote was added to highlight the severity of this exploit as absolutely no interaction by the receiver is required for it to trigger. In Project Zero’s post, Tavis Omandy goes on to say that Symantec is using code derived from open source libraries, and the derived code hasn’t been updated in at least 7 years.
If you use Norton or Symantec products, you should check the Symantec link below to make sure your product is up to date.
Do you use Symantec or Norton security products? What do you think about this recent exploit? Let us know in the comments below, or on Google+, Twitter, or Facebook.