Critical vulnerabilities open Symantec customers to remote hack

Pierluigi Paganini June 29, 2016

Symantec has fixed dozens of critical vulnerabilities affecting its solutions that can be exploited by remote attackers for arbitrary code execution.

The popular Google Project Zero hacker Tavis Ormandy last month reported a number of critical security issues in Symantec solutions, and this is the good news. The bad news is that Symantec promptly fixed one of them requesting more time to solve the others due to their complexity.

This week Symantec published a security advisory to announce that all the vulnerabilities discovered by Ormandy have been resolved.

The list of flaws impacting 25 Symantec and Norton solutions includes buffer overflow (CVE-2016-2209 and CVE-2016-2210), memory corruption (CVE-2016-2211 and CVE-2016-3644), memory access violation (CVE-2016-2207 and CVE-2016-3646), and integer overflow (CVE-2016-3645) vulnerabilities.

According to Ormandy, the vulnerabilities resides in the “decomposer” component of the Symantec Antivirus Engine that was designed to “decomposer” library, and is used for extracting document metadata and embedded macros. In order to perform the operations it was designed for, the decomposer runs with system/root privileges.

“Today we’re publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws. 

These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”  Ormandy wrote in a blog post.

Most of the vulnerabilities could be triggered remotely by simply tricking victims into open a specially crafted file or visit a bogus website.

Symantec Antivirus Engine flaws

Ormandy also highlighted the importance of vulnerability management for antivirus vendors.

The analysis he made on the Symantec decomposer allowed him to discover that the library was using code from open source libraries like libmspack and unrarsrc that the company hadn’t updated in at least 7 years.

“Nobody enjoys doing this, but it’s an integral part of secure software development. Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries like libmspack and unrarsrc, but hadn’t updated them in at least 7 years.” wrote Ormandy.

The company published a security notice confirming the security vulnerabilities.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – hacking  antivirus)

you might also like

leave a comment