British white hat hacker and Google Project Zero chap Tavis Ormandy is making life miserable for Symantec again: the bug-hunter has turned up an exploitable overflow in “the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products”.
Described here, the problem is in how the antivirus products handle executables compressed using an early version of the Aspack compression tool.
If the engine encounters truncated section data – “when SizeOfRawData is greater than SizeOfImage” – the buffer overflow occurs. Ormandy writes:
Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it.
Entertainingly, it's a cross-platform bug that affects Windows, Mac, and *nix platforms. In Mac / Linux / Unix, an attacker can cause a remote heap overflow in the Symantec process, giving the attacker root access.
The Windows bug is even better: “On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability - this is about as bad as it can possibly get,” he writes.
Either email or browser attacks will work, Ormandy says, attaching a test case file to his post. Ormandy tweeted that Live Update will carry some fixes, while others will require a patch. ®