Google shames Symantec for security issues
Symantec is the latest security company shamed by Google for having critical security vulnerabilities in business and consumer products.
Google employee Tavis Ormandy discovered several critical vulnerabilities in Symantec programs that put users and businesses at risk.
The vulnerabilities require no user interaction, affect the default configuration, and take advantage of the fact that the software programs run with the highest privilege levels.
On Windows, some vulnerabilities allow for code to be loaded into the kernel even.
These vulnerabilities are as bad as it gets. They donâ€™t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.
All Symantec and Norton antivirus products affected
All Symantec and Norton antivirus products are affected by the vulnerabilities including Norton Security, Norton 360, Symantec Endpoint Security, Symantec Protection Engine and so on.
The reason why all are affected is that they all share the same core engine.
Tavis reveals information about some of the vulnerabilities. One of the vulnerabilities takes advantage of an unpacker that Symantec runs in the kernel. A successful exploit results in a heap overflow as root in the Symantec or Norton process on Linux, Mac or Unix systems, and in kernel memory corruption on Windows.
An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, itâ€™s a significant tradeoff in terms of increasing attack surface.
Symantec uses open source libraries for vulnerability management. What is interesting here is that the company has not updated some libraries in at least seven years leaving them vulnerable to dozens of exploits disclosed publicly over the years.
What you can do
If you run Symantec or Norton antivirus software on your devices, update them as soon as possible to protect the devices from attacks.
Symantec published a security advisory on its website listing all affected consumer and Enterprise products. Additionally, the advisory reveals whether which versions are affected by the security issues, and whether updates are provided for the products.
Some updates need to be applied as hotfixes, while others can either be downloaded directly from the Symantec website, or updated through LiveUpdate, SMG, CSAPI or hosted software updates.
Symantec is the latest company in an ever growing list of security companies that introduce major security vulnerabilities on systems they are run on.
The list of shame reads almost like the who is who of the security world, with companies such as AVG, Kaspersky, Sophos, Malwarebytes and TrendMicro all affected by one or multiple vulnerabilities in the past.
Now You: Which security vendor do you trust?
With regards to the recent antivirus software snafus, I’ve had no problems with Webroot. I’m no expert, but just
the fact that it operates differently than most of the others might help it avoid some common traps.
Webroot is very different from the rest of the industry.
It lacks emulation for one. Filesystem realtime scanning is just an md5 checksum scanner with a cloud connection. There is no examination of malicious word documents (other than hash, but probably not even that). On top of that, if an unknown process executes, a monitoring dll is injected to observe its behavior.
The checksum scanner can easily be fooled just by changing the hash. Malware delivery servers nowadays push out unique malware with every infection attempt automatically.
In the past it has also been very easy to circumvent the monitoring feature, with process hollowing and the like. Keep in mind, a hollowed whitelisted system process is not monitored. Drivers are also not monitored. Then there is shellcode. There are some very nasty in-memory-only exploit payloads in regard to which Webroot is completely oblivious. According to Webroot, exploit payloads are exe’s, that are dropped on and executed from the disk (it hurts to read something like this from a endpoint protection company).
I’ll give you that Webroot is probably not vulnerable to many things which classic AVs are vulnerable to. Then again, Webroot is extremely thin protection.
There are many superior solutions out there:
– Blueridge Networks AppGuard
– Excubits product line (Bouncer, along with MemProtect and Pumpernickel, the last two still being in beta).
– reHIPS (being finalized as we speak)
– even the auto-sandbox of Comodo Firewall, though I wouldn’t use Comodo, personally
This fails to surprise me. I once tried to report a serious security issue to Symantec in one of their most popular products. Their initial response was that they knew their product had issues.
When I explained the severity and importance of this issue I discovered, they sent me multiple pages of legal documents that I would have to sign to explore the issue with their team. My attorney wanted a small fortune to evaluate all those documents, so I couldn’t sign them. Symantec was not willing to continue forward without the signing of all those documents.
I uninstalled all Symantec software and have never installed any of their software again. For all I know, that serious issue could still be present in their code.
I once believed in Avast until it installed me malware browser without my consent
With any program install always go custom install ,That way you have control for what is being installed .Does Not need consent on default
Really Simple to do !
No, the SafeZone browser installed through a definition update, not through the program. You couldn’t control the process, though I believe they rethought that after backlash and included it in the installer instead.
In this specific case Avast put it upon themselves to install it for everybody prompt or not prompt, didn’t matter if you already had Avast installed custom, they basically slipped it in like a definition update, and when people complained in the forum, their initial response was “we are doing you a favor,” then they eventually backpedaled. It is still an opt out for the first time you install Avast, but they no longer force install it. It didn’t help that Google publicly shamed Avast’s browser as insecure and dangerous to just having it in your system, you didn’t even need to use it even once, the browser changed security settings in Google Chrome and other things exposing people.
“really simple to do”…
Well, thanks for your overly condescending jab in response to Ken. But… at the very least I think you would really want to question the installation of security software that wants to install malware add-on’s to your browser by default, unless you select the “custom” option, don’t you?
I mean, don’t such tactics run contrary to the very spirit of what it means to be a supposed “security” software company?
I do have a security infrastructure but no kernel-deep anti-virus/malware/all-in-one solution. I’ve always been told that the firewall was the first and main security to deploy and I remember an article stating that 80% of computer/web professionals didn’t believe and consequently rely on universal anti-malware solutions. The shame of one security software company after another made me feel puzzled about top-notch so-said security products even before the adding of incidents started building the list, that of shame.
Granting an application all the rights to settle deep into the computer’s kernel is a tough decision, even if the argumentation of these products is precisely to be given authority on the areas where malware steals it. Like vaccination, playing with the devil is a risk. Of course no one can omit security but remain tools to circumvent, or at least minimize the risks, including awareness and good sense behaviors.
What always surprises me as with what is happening to Symantec is that those shame companies always wait that their code inconsistencies to be made public to start moving themselves and deliver updates with as always the message stating that security is very important for them and that they take into the highest consideration the safety of their customers. Who are they kidding?
Wouldn’t be caught dead using Norton. It’s not the 90s anymore.
I quit with Symantec products years ago and never looked back, let noobs have it because it looks graphically cool and use friendly (apparently), fanbois take advantage of Symantec F1 sponsorship and endless deals but the product is still the same.
I still use Norton, maybe my computer has already been compromised, if you’re not an expert there is no way to tell! You have to rely on the companies and those folks that know about virus’s to keep your information safe. I imagine my data is out in the world every time I visit an ATM, shop online, visit a doctor, etc. I’ve never noticed one virus program being better than another, they all have problems, and the bad guys are ever changing and smart too. I’m sure anti-virus software helps, but you’re never quite sure..
Antivirus software is never 100% secure but at least it provides a kind of protection that you can relay day by day, but let me tell you something, Norton was a TOP software before Microsoft hired its master and now Symantec is not able to stand by its promises.
“a kind of protection” as you say means a non reliable protection in terms of acceptability (100% guarantee is impossible). This, together with the fact that security software has more than once been itself a security issue (see in the article “The list of shame reads almost like the who is who of the security world[…]”) has led and will lead more than one user to think twice before installing one of those applications and, after thought, to sometimes avoid installing them and setting rather other walls to protect the system. The firewall as to what I’ve always been told and read is essential and, together with modular tools and brains (drivers with no driving license have less accidents than others) can be considered IMO as a valid alternative. I may be wrong but it’s not because I’m not an expert that I should opt for official so-called obvious arguments when others plead for another approach. Anyway there’s a risk on both sides so if I have to be hung it’ll be without a bag over my head.
The antivirus and firewall are very useful for the majority of computer users but if you’re a computer knowledged person, you know how to better protect yourself like for example the hardware firewall, you need a spare computer turned on which functions as a firewall and filters the communication between the network and your main computer.
That is the most secure protection I know so far.
Antony, quoting the article :
“The list of shame reads almost like the who is who of the security world, with companies such as AVG, Kaspersky, Sophos, Malwarebytes and TrendMicro all affected by one or multiple vulnerabilities in the past.”
You call that useful anti-virus software?
If I haven’t read what was not written (condemning security software as a whole) I did read that several well-known security companies offered applications which happened or had happened to be themselves vulnerable : the application’s code, not its defense reliability itself which is another topic. Like a body-guard who would have failed because of drunkenness.
The anti-virus may be useful, may be for some of them very useful, but requires for the least deep thoughts, information and documentation about the software itself : “I have an anti-virus” is not, such as, IMO, a valid approach. This article demonstrates this.
Tom I agree. The flaws in security products by security companies, many of them so obvious that one has to wonder how you can trust these companies with your security. are a problem. These products are designed to keep you save, yet they contain years-old unpatched software or make your system vulnerable which, last time I checked, is the exact opposite of what they claim to do.
From the article: Which security vendor do you trust?
I trust ESET for everyday use and paying attention at what web sites I visit and what software or files I load on the computer.
You cannot pretend to drive a car while sleeping, you need to be aware and vigilant and avoid the dangers on the roads, but as you know accidents still happen. Modern cars are safe to drive and they use the latest technology available but they are not perfect like the antivirus for computers, there is always a hole.
It remembers me years ago during a world convention where the top technology CEOs (including Bill Gates) met to discuss internet and computer related problems.
During the live meetings a group of hackers sneaked in the security system and showed to Bill Gates & Co that they were able to read vital and personal information of all the present people there.
This is tell you that in life nothing is perfect and nothing is 100% safe.
You can live without antivirus if you want but the majority of common people need it because they don’t know and don’t understand technical stuff.
Antony, no one is advising to let a computer live without an anti-virus, that’s not the point here even if some consider, for themselves, alternative solutions for their computers.
Better to have an anti-malware than nothing, at the condition that this anti-malware is not, itself, vulnerable. This is why, together with the article’s implicit recommendation, choosing an anti-malware requires investigation, not only to know its reliability (you have a plethora of comparison charts available on the Web) but before all to know if a security solution you’re considering is viable, not bugged, not vulnerable itself. That’s all. we are not into the abstract depths of a whatever essay on the pertinence of software security but in the reality of facts. You mention ESET? OK, that is the purpose of the article once it has described facts of vulnerability (vulnerability, not reliability) on a certain number of security solutions to ask us how we consider our own system’s security. Your answer is ESET, OK! No problem! If it suits you maybe you could talk more about it, I’m not against anti-malware… as long as it’s not bugged.
I hope we agree because next step would be a loop!
Frankly speaking I felt like you were against any antivirus but I was wrong,
Anyways, I don’t relay much on web reviews for the simple reason that people need to get money somewhere to run and maintain their web sites and forums and I know that it takes time and effort so often there a conflict of interests.
I’ve tried all most common antivirus suites and each had their own problems like for example Symantec and Kaspersky being very very intrusive and stubborn suites which pretend to be the owners of your computer plus of course they have their own false alerts.
But ESET is the one that overally gave me less headache and more reliability, however, I stopped paying for its license when its settings became too much complicated for me so I opted for the free Windows suite which I believe it’s good enough for everyday use.
Though I stopped using Norton Utilities around dos 6ish; to me, Symantec lost a lot of credibility back in 2006.
“Symantec: We Didnâ€™t Know in 2006 Source Code Was Stolen”
If you read the comment(s) associated with this link, you’ll soon learn that this story is much to do about very little . I have and continue to use Norton : it consistently is rated in the top 5 in every ‘reliable’ test data base, year after year after year . . . additionally, I have found their customer service to be exceptional .
maybe Google should do more Symantec shaming because of this recent “botched” migration of the Symantec acquisition by Broadcom: