grandeduc - Fotolia
In this Risk & Repeat podcast, SearchSecurity editors discuss a new Google Project Zero report on yet another round of critical Symantec vulnerabilities.
A second bug report from Google Project Zero has revealed more critical Symantec vulnerabilities and raised questions about the world's largest software security company.
Symantec was first hit with bad news in May when Project Zero researcher Tavis Ormandy reported a series of critical Symantec vulnerabilities, the most serious of which was a flaw in the company's antivirus scanning engine. Ormandy explained the scanning engine is loaded into the kernel on Windows systems, which would enable attackers to execute remote memory corruption by simply sending an email to a potential victim. "[T]his is about as bad as it can possibly get," he wrote at the time.
But Ormandy used similar words -- "These vulnerabilities are as bad as it gets" -- last week to describe the latest round of critical flaws within the Symantec core software engine, which this time around affects the company's entire consumer-to-enterprise product line. Ormandy revealed that Symantec is using unpatched, outdated open source software within its core engine, leading to remote code execution and memory corruption vulnerabilities. "They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," Ormandy wrote in the newest bug report. "In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."
While Symantec worked with Project Zero to address the newest flaws and released patches for its software, some of the enterprise's products cannot be automatically updated and require administrators to perform the update.
In this episode of SearchSecurity's Risk & Repeat podcast, site editors Rob Wright and Peter Loshin examine the newest batch of Symantec vulnerabilities, what the vulnerabilities mean for the company and its reputation and what may be next for Symantec.
Risk & Repeat: Acer breach highlights payment security shortcomings
Risk & Repeat: Ransomware worms raises concerns for enterprises
Risk & Repeat: Cyberextortion and bug poaching plaguing enterprises