Symantec is the latest security company shamed by Google for having critical security vulnerabilities in business and consumer products.
Google employee Tavis Ormandy discovered several critical vulnerabilities in Symantec programs that put users and businesses at risk.
The vulnerabilities require no user interaction, affect the default configuration, and take advantage of the fact that the software programs run with the highest privilege levels.
On Windows, some vulnerabilities allow for code to be loaded into the kernel even.
These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.
All Symantec and Norton antivirus products affected
All Symantec and Norton antivirus products are affected by the vulnerabilities including Norton Security, Norton 360, Symantec Endpoint Security, Symantec Protection Engine and so on.
The reason why all are affected is that they all share the same core engine.
Tavis reveals information about some of the vulnerabilities. One of the vulnerabilities takes advantage of an unpacker that Symantec runs in the kernel. A successful exploit results in a heap overflow as root in the Symantec or Norton process on Linux, Mac or Unix systems, and in kernel memory corruption on Windows.
An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.
Symantec uses open source libraries for vulnerability management. What is interesting here is that the company has not updated some libraries in at least seven years leaving them vulnerable to dozens of exploits disclosed publicly over the years.
What you can do
If you run Symantec or Norton antivirus software on your devices, update them as soon as possible to protect the devices from attacks.
Symantec published a security advisory on its website listing all affected consumer and Enterprise products. Additionally, the advisory reveals whether which versions are affected by the security issues, and whether updates are provided for the products.
Some updates need to be applied as hotfixes, while others can either be downloaded directly from the Symantec website, or updated through LiveUpdate, SMG, CSAPI or hosted software updates.
Symantec is the latest company in an ever growing list of security companies that introduce major security vulnerabilities on systems they are run on.
The list of shame reads almost like the who is who of the security world, with companies such as AVG, Kaspersky, Sophos, Malwarebytes and TrendMicro all affected by one or multiple vulnerabilities in the past.
Now You: Which security vendor do you trust?