Symantec Scrambles to Fix Flaws After Google Sounds Alarm

Symantec last week confirmed that it had developed fixes for a series of eight vulnerabilities found in its portfolio of security products for enterprise and consumer customers, after an outside researcher identified the problem.

A researcher from Google’s Project Zero alerted the company, but there was no evidence of the vulnerability being exploited in the wild, said Adam Bromwich, Symantec’s vice president for security technology and response.

The issues involved buffer overflow and memory corruption in the Antivirus Decomposer engine used in various security products.

Parsing of maliciously formatted container files might cause corrupted memory, integer overflow or buffer overflow in Symantecs Decomposer engine, Bromwich noted. That typically results in an application-level denial of service, but it also could result in arbitrary code execution.

An attacker could run arbitrary code by sending a specially crafted file to a user, he said.

Symantec has verified the issues and addressed them in product updates and recommends that users apply required patches to the affected products as soon as possible, added Bromwich.

All Norton products have been updated through LiveUpdate. Symantec Enterprise customers should check online to determine which products have been updated automatically and which require product updates.

Companies should restrict access to administrative or management systems to authorized, privileged users, Symantec recommended. They should restrict remote access to trusted or authorized systems, and keep operating systems current with vendor patches. Also, they should use firewall and antimalware applications to provide multiple layers of security.

Widespread Corruption

The vulnerabilities, discovered by Tavis Ormandy, of Google’s Project Zero, were found in a number of leading security products, including Norton Security, Norton 360, all other legacy Norton products, Symantec Endpoint Protection, Email Security, Protection Engine and Protection for Sharepoint Servers, according to Google.

“These vulnerabilities are as bad as it gets,” Ormandy said.

Among the vulnerabilities found were executable packers like UPX, which are tools designed to reduce the size of executables by compressing them, he noted.

Many antivirus companies write dedicated unpackers to reverse the operation of the most common packers, then use emulation to handle less common and custom packers, according to Ormandy.

It is very complicated to make the code safe, he pointed out. In the Symantec case, the company had dedicated unpackers for a few older versions of ASPack, a commercial unpacking software, which triggered a buffer overflow.

Another vulnerability Project Zero discovered involved an administrative setting called “bloodhound heuristics” or “advanced heuristic protection” in Norton Antivirus. The setting had three options of low, automatic and aggressive, and in that final mode, a crash was quickly induced.

Threat Vector

“The issue here is that Symantec’s unpacking routines largely occurred within the kernel,” said Kevin O’Brien, founder of GreatHorn.

“This creates a major vulnerability, as it makes the Symantec engine a threat vector for a wide variety of attack types, he told TechNewsWorld.

In the case of Symantec, the security software could be exploited to compromise endpoint devices, O’Brien said. Since Symantec email security is one of the threat vectors, then an attacker simply could send the right kind of attack to an enterprise over normal email.

Symantec deserves credit for its response to the warnings, he noted, citing its decision to send formal advisories immediately.

That said, the discoveries should serve to warn enterprises that they need to tighten up on their security, added O’Brien, by combining endpoint and perimeter security with additional third-party controls around monitoring, as well as comprehensive communication security that can identify if malware is received and whether devices have been breached at the operating system level.

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by David Jones
More in Security

Technewsworld Channels