lolloj - Fotolia
A newly disclosed Symantec vulnerability is described being "as bad as it can possibly get" by the Google Project Zero member who found the flaw in the antivirus software.
Tavis Ormandy, Google Project Zero researcher, found several remote code execution vulnerabilities in Symantec antivirus products, but the most severe was a flaw in the core scanning engine used in most Symantec and Norton-branded antivirus products. Ormandy said exploiting this vulnerability requires zero interaction by the user and an exploit could be as simple as a user receiving one email.
"Because Symantec use[s] a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it," Ormandy wrote. "On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 [sic] memory corruption vulnerability -- this is about as bad as it can possibly get."
Symantec released an update to its Antivirus Engine (AVE), version 2018.104.22.168, to remediate the most severe vulnerability, but the other flaws disclosed by Ormandy will require a patch that had not been released at the time of this publication.
"Symantec was notified of a critical issue in the AVE scan engine when parsing incoming malformed portable-executable (PE) header files. Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious Web site. No user interaction is required to trigger the parsing of the malformed file," Symantec wrote in the advisory. "Sufficiently malformed, the code executed at the kernel-level with system/root privileges causing a memory access violation. The most common symptom of successful exploitation resulted in an immediate system crash."
The fact that Symantec's antivirus scanning engine is loaded into the kernel on Windows makes this Symantec vulnerability especially dangerous, because exploiting the scanning engine flaw causes a memory corruption issue within the kernel and could allow remote attackers to seize full control of some systems.
The practice of unpacking malware in the Windows kernel has led many to criticize Symantec on Twitter:
Oh my god Norton— Blue Scorpion (@Yesnaught) May 17, 2016
In what universe does "load malware into kernel" sound like a good idea https://t.co/s8u45kxa8l
Inspecting malicious code in the kernel? That's like the bomb squad bringing a suspicious package into a kindergarten to open it. CC @taviso— Patrick Gray (@riskybusiness) May 17, 2016
Find out about the types of malware that attack corporate email infrastructure.
Get tips on detecting and combating malicious email.