Weeks after reporting a dangerous flaw in Symantec's antivirus products, Google Project Zero published details...
of yet another set of critical vulnerabilities in the core engine used across Symantec's entire product line -- from consumer services to Symantec's carrier-grade offerings.
While Symantec's Norton consumer line has already been patched through LiveUpdate, Symantec's enterprise products may require direct action by administrators to apply patches. The vulnerabilities reported by Google Project Zero security researcher Tavis Ormandy require no user interaction and are similar to the dangerous Symantec vulnerability reported last month. This time around, however, Ormandy reported some of the flaws are caused by unpatched, third-party open source software.
"These vulnerabilities are as bad as it gets," Ormandy wrote on the Google Project Zero blog. "They don't require any user interaction, they affect the default configuration and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."
Symantec's core engine uses a filter driver to intercept system I/O, which makes it possible to exploit the vulnerability simply by sending an email or link to a target system. No user interaction is required to trigger the exploit; "the victim does not need to open the file or interact with it in any way," Ormandy wrote. "Because no interaction is necessary to exploit it, this is a wormable vulnerability, with potentially devastating consequences to Norton and Symantec customers."
Ormandy flayed Symantec over its use of unpatched, third-party software in his bug description, explaining that a key component of the Symantec Antivirus scan engine, called the Decomposer, unpacks archive files running with full-system privileges. "It is self-evident from looking at the Decomposer code that Symantec [has] based the RAR decompression on the open source UnRAR package from RAR Labs," Ormandy wrote in the bug report. "By comparing Symantec's code to the open source code, I have determined that Symantec [is] probably using version 4.1.4 of the UnRAR code, released in January 2012. The most current version is version 5.3.11.
"In my opinion, I'm being exceptionally generous, considering this issue [as] a new vulnerability and not public information. Frankly, it is astonishing that Symantec [does] not track new releases of third-party code [it] use[s]. I think you should take this opportunity to check all other third-party code you're using to verify you haven't fallen behind."
Symantec, with which Ormandy worked since discovering the flaws in late April and early May, posted security advisories for all affected products. "Symantec is aware of buffer overflow and memory corruption findings in the AntiVirus Decomposer engine used in various configurations by multiple Symantec products," the company wrote, adding "Symantec is not aware of these vulnerabilities being exploited in the wild."
Meanwhile, Nicholas Weaver, computer security researcher at the International Computer Science Institute in Berkeley, Calif., expressed disbelief at the Symantec vulnerabilities:
Symantec's unpacker runs in the KERNEL?!?!? WTF!?!?!?https://t.co/FkU3tJAgpc— Nicholas Weaver (@ncweaver) June 29, 2016
Find out more about Tavis Ormandy's work on antivirus software vulnerabilities.
Learn more about the vulnerability disclosure debate.