The Google Project Zero bug reports just keep coming for Symantec.
Symantec patched two flaws in the file parser component of its antivirus decomposer engine, used by many Symantec products, after they were discovered in June by Google Project Zero information security engineer Tavis Ormandy. The bugs, which are the latest in a series of high-profile vulnerabilities affecting Symantec antivirus products, appear to parallel those Ormandy reported, and were patched by Symantec, earlier this year.
Although Symantec's report indicated the patched vulnerabilities were of medium severity, Ormandy disagreed, claiming Symantec had mischaracterized the flaws as enabling denial-of-service attacks; Ormandy insisted that they enable remote code execution attacks:
@cstromblad It's RCE. They were using an ancient version of unrarsrc and hadn't updated it for years.— Tavis Ormandy (@taviso) September 20, 2016
Via its LiveUpdate system, Symantec patched all Norton Security and Norton Antivirus products for Windows and Mac, but many of its enterprise products will need to be updated manually.
Ormandy wrote in the issue report: "We pointed out to Symantec that they hadn't updated their unrar-based unpacker for years, and it was vulnerable to dozens of publicly documented flaws." Anticipating that Symantec would fix that in all of its code bases, Ormandy went on, "but they appear to have just backported fixes for the few issues I sent them."
"Here are two known bugs in unrar that are fixed upstream, but not in Symantec's ancient code. If they continue to refuse to rebase, this might take a few iterations to shake the bugs out. Sigh."
This is the third batch of flaws in Symantec security products reported by Ormandy this year; the first, in May, included a vulnerability Ormandy described as being "as bad as it can possibly get." At the time, Ormandy wrote, that flaw, an RCE vulnerability, was particularly bad because Symantec used "a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it."
Listen to the Risk & Repeat podcast about Symantec's ongoing issues with vulnerabilities in its security products.
Find out more about lessons to be learned by antivirus vendors from research conducted by Tavis Ormandy on security flaws in Sophos' antivirus engine.
Read about the new Google Project Zero Prize competition to improve Android security.