Symantec has been a leading name in the security sector for the last 15 years with wide success in enterprise security. The company is most recognizable through its consumer side, Norton anti-virus software. With so much prestige in the market it may be surprising to know that Project Zero, a Google-sponsored group of security analysts, have discovered major security exposures in Symantec’s Endpoint and Norton products. Seeing a respected gatekeeper of cybersecurity so open to attacks simply illustrates the increasing importance of creating and hiring a competent and educated security workforce in this frontier sector.
Flaws in the System
Project Zero was established in mid-2014 in an effort to research and identify zero-day exploits. Known for previously discovering critical flaws in FireEye, McAfee and others, the blog recently highlighted another major vulnerability. Tavis Ormandy, the author of the analysis for Project Zero, exposed massive weaknesses including vulnerabilities that don’t require any user interaction, and run at the highest privilege levels. The blog goes in depth in its analysis of major security flaws that they show to be endemic in the core programming of Symantec/Norton’s most popular and widely-distributed consumer anti-virus and enterprise security platforms.
Some of the issues which Ormandy describes as “as bad as it gets,” include a “100% reliable remote exploit.”
Ormand writes a simple test case that allows him to illustrate in painstaking detail how he exploited this remote code execution vulnerability. The vulnerability stems from the executable unpacker common to Symantec products called ASPack. Ormandy goes on to specifically criticize Symantec for running its unpacker in the kernel, what is essentially the central core of its operating system. This left the potentially millions of Windows users open to kernel memory corruption. He demonstrates that, because Symantec uses a filter driver to intercept all system Input/Output, simply sending the intended victim a link or emailing a file is enough to trigger the system to expose the vulnerability. In such a case the victim would not even need to interact with the sent file.
Since Symantec uses the same core-engine across its entire product line, it would make little difference whether both Symantec’s enterprise security and consumer products are affected. These include: Symantec Endpoint Protection, Email Security, Protection Engine, SharePoint Servers, and all Norton Security and 360 products across all platforms.
Symantec has patched these vulnerabilities, and deployed them via automatic update, and assures it will continue to make additional checks to secure itself. Check out their FAQs for more information on how the vulnerabilities are being combated. To learn how to catch major bugs and start your career in cyber security, click here.