Sergey Nivens - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Symantec patches two more flaws after Google Project Zero discoveries

Symantec patched another set of serious file parsing flaws in its antivirus products, which were discovered by Google Project Zero researcher Tavis Ormandy.

The Google Project Zero bug reports just keep coming for Symantec.

Symantec patched two flaws in the file parser component of its antivirus decomposer engine, used by many Symantec products, after they were discovered in June by Google Project Zero information security engineer Tavis Ormandy. The bugs, which are the latest in a series of high-profile vulnerabilities affecting Symantec antivirus products, appear to parallel those Ormandy reported, and were patched by Symantec, earlier this year.

Although Symantec's report indicated the patched vulnerabilities were of medium severity, Ormandy disagreed, claiming Symantec had mischaracterized the flaws as enabling denial-of-service attacks; Ormandy insisted that they enable remote code execution attacks:

Via its LiveUpdate system, Symantec patched all Norton Security and Norton Antivirus products for Windows and Mac, but many of its enterprise products will need to be updated manually.

Ormandy wrote in the issue report: "We pointed out to Symantec that they hadn't updated their unrar-based unpacker for years, and it was vulnerable to dozens of publicly documented flaws." Anticipating that Symantec would fix that in all of its code bases, Ormandy went on, "but they appear to have just backported fixes for the few issues I sent them."

"Here are two known bugs in unrar that are fixed upstream, but not in Symantec's ancient code. If they continue to refuse to rebase, this might take a few iterations to shake the bugs out. Sigh."

This is the third batch of flaws in Symantec security products reported by Ormandy this year; the first, in May, included a vulnerability Ormandy described as being "as bad as it can possibly get." At the time, Ormandy wrote, that flaw, an RCE vulnerability, was particularly bad because Symantec used "a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it."

Next Steps

Listen to the Risk & Repeat podcast about Symantec's ongoing issues with vulnerabilities in its security products.

Find out more about lessons to be learned by antivirus vendors from research conducted by Tavis Ormandy on security flaws in Sophos' antivirus engine.

Read about the new Google Project Zero Prize competition to improve Android security.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How do you feel about Symantec's string of vulnerabilities reported this year in its security software?
It is, sorry to say, a pretty standard problem for this error-prone, non-responsive company. We removed Symantec everything after the backup program "lost" our entire system backup.... We could see the files, but Symantec couldn't. It took a long day and third-party software to restore our files. Alas, file by file by file.
And yet -- Symantec is still a market leader, presumably because people and companies keep buying their products.

The other question is, what alternatives are there, and how do they rate?
They're unfortunately on the receiving end of attacks because they're the big player in the industry. Not excusing these flaws but haven't we seen similar stuff with Microsoft, Google, and others?
Kevin, I think there has to be some outrage over Symantec's approach of selectively patching the vulnerabilities Ormandy reported.

"Here are two known bugs in unrar that are fixed upstream, but not in Symantec's ancient code. If they continue to refuse to rebase, this might take a few iterations to shake the bugs out. Sigh."

I don't recall Microsoft or Google doing anything as egregious as that...

Irony and opportunity are the two words that come to mind. Irony because, well, it's a security company with security issues. Opportunity because, depending on how Symantec responds, they can set a positive example for customers and others.