June 29, 2016
Tavis Ormandy, a member of Google’s Project Zero initiative, has discovered a series of vulnerabilities in Symantec’s security products. Due to the nature of these flaws, they affect a large number of Symantec products, and not all can be patched via automatic updates.
“These vulnerabilities are as bad as it gets,” Ormandy writes on Google’s blog. “They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
The vulnerable code to which Ormandy is referring is part of ASPack, a commercial packing software piece that Symantec uses to analyze files scanned for malware.
Ormandy says that Symantec’s mistake was to run this component in the operating system’s kernel, under the highest privilege available. A vulnerability in this component gives the attacker a golden ticket to full control over the system, without the need for a second-stage exploit to escalate their access.
Besides this main issue, CVE-2016-2208, the researcher also claims he found multiple stack buffer overflows and memory corruption issues.
The researcher also discovered that Symantec had used open source libraries in its products, such as libmspack and unrarsrc, but forgot to update them for the past seven years. An attacker would only need to employ one of the publicly known issues for these tools.