lolloj - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Google Project Zero discloses dangerous Symantec vulnerability

Google Project Zero disclosed a Symantec vulnerability that can be exploited with zero interaction and was described being as bad as it can possibly get.

A newly disclosed Symantec vulnerability is described being "as bad as it can possibly get" by the Google Project Zero member who found the flaw in the antivirus software.

Tavis Ormandy, Google Project Zero researcher, found several remote code execution vulnerabilities in Symantec antivirus products, but the most severe was a flaw in the core scanning engine used in most Symantec and Norton-branded antivirus products. Ormandy said exploiting this vulnerability requires zero interaction by the user and an exploit could be as simple as a user receiving one email.

"Because Symantec use[s] a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it," Ormandy wrote. "On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 [sic] memory corruption vulnerability -- this is about as bad as it can possibly get."

Symantec released an update to its Antivirus Engine (AVE), version 20151.1.1.4, to remediate the most severe vulnerability, but the other flaws disclosed by Ormandy will require a patch that had not been released at the time of this publication.

"Symantec was notified of a critical issue in the AVE scan engine when parsing incoming malformed portable-executable (PE) header files. Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious Web site. No user interaction is required to trigger the parsing of the malformed file," Symantec wrote in the advisory. "Sufficiently malformed, the code executed at the kernel-level with system/root privileges causing a memory access violation. The most common symptom of successful exploitation resulted in an immediate system crash."

The fact that Symantec's antivirus scanning engine is loaded into the kernel on Windows makes this Symantec vulnerability especially dangerous, because exploiting the scanning engine flaw causes a memory corruption issue within the kernel and could allow remote attackers to seize full control of some systems.

The practice of unpacking malware in the Windows kernel has led many to criticize Symantec on Twitter:

Next Steps

Learn how Google Project Zero stoked the vulnerability disclosure debate.

Find out about the types of malware that attack corporate email infrastructure.

Get tips on detecting and combating malicious email.

Dig Deeper on Microsoft Patch Tuesday and patch management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you think about this Symantec vulnerability?
This is bad architecture.

also to load malware Database in kernel memory is not good.

Well, here I am for years crowing about how wonderful Norton Anti Virus is. Been selling my whole family on it and co-workers and friends. Now I will have egg on my face if they read this or get infected. Thanks a million, Symantec!
Let any one of you who is without sin be the first to throw a stone
It was neither quick nor easy to pry Norton out of the machines here. Interestingly, everyone feels more secure now that it's gone. We've replaced it, of course, and we'll never go back to such an invasive program with a wide open back door.. 

All I can say is "QA???"

@krusealexander - Testing is a heuristic process, which means it’s not guaranteed to be optimal and it is fallible. That said, this goes far beyond QA int the systems architecture.
This is never-ending story. I thing, is time to change the basics of cyber security -
This is kind of a black swan-type scenario where it’s easy to criticize Symantec in hindsight.