Enterprises that depend on Symantec’s antivirus products to protect their networks may want to rethink their strategies. According to Google’s Project Zero, Symantec’s flagship enterprise security product is riddled with vulnerabilities that could be putting millions of companies at risk.
The bugs affect all Symantec and Norton branded antivirus products, the Google team said. “These vulnerabilities are as bad as it gets,” Google researcher Tavis Ormandy wrote on Project Zero’s Web site yesterday. “They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
‘Symantec Dropped the Ball’
Project Zero is a Google-run effort to search for vulnerabilities, particularly so-called “zero-day” flaws in software products, and then alert the developers of the problems. In this case, Ormandy said Symantec was able to fix the problems and update its software quickly. However, some of the products affected by the vulnerabilities cannot be automatically updated, so administrators have to manually update their systems to protect their networks.
While Ormandy praised Symantec for its quick response, he was highly critical of the company’s failure to uncover the vulnerabilities. “As with all software developers, antivirus vendors have to do vulnerability management,” Ormandy said. “This means monitoring for new releases of third-party software used, watching published vulnerability announcements, and distributing updates. Nobody enjoys doing this, but it’s an integral part of secure software development.”
In particular, the company failed to update code used in its products that had been derived from open source libraries such as libmspack and unrarsrc for at least seven years, Ormandy said. “Symantec dropped the ball here,” Ormandy said.
Potentially Devastating Consequences
One of the most serious problems in Symantec’s code has to do with an unpacker. An unpacker is a type of tool used by antivirus software to analyze compressed executable files. The unpacker Symantec used for files that had been compressed by ASPack, a commercially available compression tool, provided hackers an opportunity to force a buffer overflow.
And because Symantec’s products use a filter driver to scan all incoming data, a hacker could infect a target network just by e-mailing a link to a user — the user wouldn’t even have to open it. “Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers,” Ormandy said. “An attacker could easily compromise an entire enterprise fleet using a vulnerability like this.”
Ormandy said he was also able to develop a hack that used Symantec’s approach toward parsing PowerPoint files to cause a stream stack buffer overflow. According to Ormandy, his exploit worked with 100 percent reliability against the default configurations of both Norton Antivirus and Symantec Endpoint, although the bug was found in all products branded as Norton or Symantec.