This article is more than 1 year old

Zero-interaction remote wormable hijack hole blasts Symantec kit

Google blasts AV security with 'patch or pay the price' red alert

Scores (or thousands, or millions) of enterprise and home Symantec users are open to remote compromise through multiple now-patched (where possible) wormable remote code execution holes described by Google as 'as bad as it gets'.

The flaws are "100 percent" reliable against Symantec's Norton Antivirus and Endpoint according to renowned hacker Tavis Ormandy from Google's Project Zero initiative.

"These vulnerabilities are as bad as it gets," Ormandy says.

"They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible."

It could easily result in a worm which could realistically spread rapidly between Symantec users via email or web links.

Victims would not even need to open the malicious files to be compromised.

"An attacker could easily compromise an entire enterprise fleet using a vulnerability like this," Ormandy says.

"Network administrators should keep scenarios like this in mind when deciding to deploy anti-virus [because] it’s a significant tradeoff in terms of increasing attack surface."

Affected products include Norton Security, Norton 360, Endpoint Protection, Email Security, the Protection Engine, and others.

Some of those platforms cannot be upgraded. The many users of pirate copies of Symantec's products would also likely be affected since many cracked applications block update mechanisms.

The problems lie in part with Symantec's unpacking engines which run in the kernel. The company also used code for its decomposer that was derived from open source libraries such as libmspack and unrarsrc which had not been updated for some seven years.

Symantec is the latest to fall to Ormandy's security testing of antivirus products, but has fallen hardest. Comodo, ESET, Kaspersky, and Fireeye are among those tested.

The security company has posted a security notice confirming the flaws.

It says it has added "additional checks" to its secure development lifecycle to spot similar flaws in the future, adding it has not seen in-the-wild attacks.

Users should:

  • Restrict access to administrative or management systems to authorised privileged users.
  • Restrict remote access, if required, to trusted / authorised systems only.
  • Run under the principle of least privilege where possible to limit the impact of potential exploit.
  • Keep all operating systems and applications current with vendor patches.
  • Follow a multi-layered approach to security. At a minimum, run both firewall and anti-malware applications to provide multiple points of detection and protection to both inbound and outbound threats.
  • Deploy network- and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in the detection of attacks or malicious activity related to the exploitation of latent vulnerabilities.


More about


Send us news

Other stories you might like