lolloj - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Google Project Zero discloses dangerous Symantec vulnerability

Google Project Zero disclosed a Symantec vulnerability that can be exploited with zero interaction and was described being as bad as it can possibly get.

A newly disclosed Symantec vulnerability is described being "as bad as it can possibly get" by the Google Project Zero member who found the flaw in the antivirus software.

Tavis Ormandy, Google Project Zero researcher, found several remote code execution vulnerabilities in Symantec antivirus products, but the most severe was a flaw in the core scanning engine used in most Symantec and Norton-branded antivirus products. Ormandy said exploiting this vulnerability requires zero interaction by the user and an exploit could be as simple as a user receiving one email.

"Because Symantec use[s] a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it," Ormandy wrote. "On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 [sic] memory corruption vulnerability -- this is about as bad as it can possibly get."

Symantec released an update to its Antivirus Engine (AVE), version 20151.1.1.4, to remediate the most severe vulnerability, but the other flaws disclosed by Ormandy will require a patch that had not been released at the time of this publication.

"Symantec was notified of a critical issue in the AVE scan engine when parsing incoming malformed portable-executable (PE) header files. Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious Web site. No user interaction is required to trigger the parsing of the malformed file," Symantec wrote in the advisory. "Sufficiently malformed, the code executed at the kernel-level with system/root privileges causing a memory access violation. The most common symptom of successful exploitation resulted in an immediate system crash."

The fact that Symantec's antivirus scanning engine is loaded into the kernel on Windows makes this Symantec vulnerability especially dangerous, because exploiting the scanning engine flaw causes a memory corruption issue within the kernel and could allow remote attackers to seize full control of some systems.

The practice of unpacking malware in the Windows kernel has led many to criticize Symantec on Twitter:

Next Steps

Learn how Google Project Zero stoked the vulnerability disclosure debate.

Find out about the types of malware that attack corporate email infrastructure.

Get tips on detecting and combating malicious email.

Dig Deeper on Microsoft Patch Tuesday and patch management