Zero-interaction remote wormable hijack hole blasts Symantec kit

Google blasts AV security with 'patch or pay the price' red alert

21 Reg comments Got Tips?

Scores (or thousands, or millions) of enterprise and home Symantec users are open to remote compromise through multiple now-patched (where possible) wormable remote code execution holes described by Google as 'as bad as it gets'.

The flaws are "100 percent" reliable against Symantec's Norton Antivirus and Endpoint according to renowned hacker Tavis Ormandy from Google's Project Zero initiative.

"These vulnerabilities are as bad as it gets," Ormandy says.

"They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible."

It could easily result in a worm which could realistically spread rapidly between Symantec users via email or web links.

Victims would not even need to open the malicious files to be compromised.

"An attacker could easily compromise an entire enterprise fleet using a vulnerability like this," Ormandy says.

"Network administrators should keep scenarios like this in mind when deciding to deploy anti-virus [because] it’s a significant tradeoff in terms of increasing attack surface."

Affected products include Norton Security, Norton 360, Endpoint Protection, Email Security, the Protection Engine, and others.

Some of those platforms cannot be upgraded. The many users of pirate copies of Symantec's products would also likely be affected since many cracked applications block update mechanisms.

The problems lie in part with Symantec's unpacking engines which run in the kernel. The company also used code for its decomposer that was derived from open source libraries such as libmspack and unrarsrc which had not been updated for some seven years.

Symantec is the latest to fall to Ormandy's security testing of antivirus products, but has fallen hardest. Comodo, ESET, Kaspersky, and Fireeye are among those tested.

The security company has posted a security notice confirming the flaws.

It says it has added "additional checks" to its secure development lifecycle to spot similar flaws in the future, adding it has not seen in-the-wild attacks.

Users should:

  • Restrict access to administrative or management systems to authorised privileged users.
  • Restrict remote access, if required, to trusted / authorised systems only.
  • Run under the principle of least privilege where possible to limit the impact of potential exploit.
  • Keep all operating systems and applications current with vendor patches.
  • Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploy network- and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.



Keep Reading

New Google rules mandate Android 'Poundland' Edition, Go, for sub-2GB RAM phones once Android 11 is out

Chocolate Factory actively pushing lightweight OS on less powerful devices

Microsoft delivers CouchOps capability with Android TV upgrade to Remote Desktop app

Also adds Windows Virtual Desktop support and two-factor authentication

Google promises another low-end Android effort as it buys into Indian mega-carrier Jio Platforms

$4.5bn splash turns out to be first installment in $10bn ‘Digitisation fund’ and development template for new products

Android 11 lands with plenty more privacy preferences for Pixels and special Google friends first

Enterprise edition offers admins more ways to blend work and play

Google bans stalkerware apps from Android store. Which is cool but... why were they allowed in the first place?

Disclosed tracking, helicopter parenting programs are still kosher

Android 11 will let users stop device-makers from killing background apps, says Google

Users will be able to 'override ... restrictions' on phones and other kit, says engineering team

Commit to Android codebase suggests Google may strong-arm phone makers into using 'seamless' partitioned updates

Such a move could standardise deployment of new versions, rather than it being at the whim of OEMs

Android user chucks potential $10bn+ sueball at Google over 'spying', 'harvesting data'... this time to build supposed rival to TikTok called 'Shorts'

These are the class-action-suit-joining 'droids lawyers are looking for. (We'll get our coats)

Biting the hand that feeds IT © 1998–2020