Tavis Ormandy, a white hat hacker operating as part of Project Zero, pointed out a considerable list of critical vulnerabilities found within a variety of security software produced by Symantec. According to Ormandy, the list of flaws are “as bad as it gets.”
The erroneous programming that Ormandy highlights deals primarily with Symantec’s “unpacker,” which is designed to examine compressed executable files to search for hidden malicious code. The way Symantec handled this task left users at considerable risk.
Ormandy wrote that all it would take to abuse the flaw would be an email containing a file or link to an exploit—no interaction would be necessary from the user.
“This is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers,” Ormandy warned. “An attacker could easily compromise an entire enterprise fleet using a vulnerability like this.” He also noted that network administrators should keep these types of scenarios in mind when choosing to deploy an antivirus tool.
To show just how vulnerable Symantec software was to attack, Ormandy built a test case that would reliably take advantage of the flaws. He managed to create a remote exploit that was “100 percent reliable” and could be deployed from email or the web. Symantec products on every major platform fell victim to the simulated attack.
Ormandy concluded that Symantec had “dropped the ball” and hadn’t updated part of its code in at least seven years. Luckily, the company quickly issued fixes for the flaws described by the Google researcher. (When Project Zero finds flaws, it gives companies 90 days to fix them before publishing them.)
To take advantage of the now-protected platforms, users will have to download updates that include the patches. Many updates to Symantec products are delivered automatically, but some will require administrators to take manual action to update and protect their systems.
A Symantec spokesperson told the Daily Dot that the company “continually improves the protection delivered by our products with regular updates,” and “always recommend that customers upgrade to the latest version to get the best protection.”
“To ensure our products are as effective as possible we not only rely on our own experts, but we also listen to independent security researchers like Tavis Ormandy. In this case, Symantec has been working with Tavis, who approached us with a number of vulnerabilities that he had discovered after examining our enterprise and Norton products. Customers can get the latest versions now,” the spokesperson said.