The popular Google Project Zero hacker Tavis Ormandy last month reported a number of critical security issues in Symantec solutions, and this is the good news. The bad news is that Symantec promptly fixed one of them requesting more time to solve the others due to their complexity.
This week Symantec published a security advisory to announce that all the vulnerabilities discovered by Ormandy have been resolved.
The list of flaws impacting 25 Symantec and Norton solutions includes buffer overflow (CVE-2016-2209 and CVE-2016-2210), memory corruption (CVE-2016-2211 and CVE-2016-3644), memory access violation (CVE-2016-2207 and CVE-2016-3646), and integer overflow (CVE-2016-3645) vulnerabilities.
According to Ormandy, the vulnerabilities resides in the “decomposer” component of the Symantec Antivirus Engine that was designed to “decomposer” library, and is used for extracting document metadata and embedded macros. In order to perform the operations it was designed for, the decomposer runs with system/root privileges.
“Today we’re publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.
Most of the vulnerabilities could be triggered remotely by simply tricking victims into open a specially crafted file or visit a bogus website.
Ormandy also highlighted the importance of vulnerability management for antivirus vendors.
The analysis he made on the Symantec decomposer allowed him to discover that the library was using code from open source libraries like libmspack and unrarsrc that the company hadn’t updated in at least 7 years.
“Nobody enjoys doing this, but it’s an integral part of secure software development. Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries like libmspack and unrarsrc, but hadn’t updated them in at least 7 years.” wrote Ormandy.
The company published a security notice confirming the security vulnerabilities.
(Security Affairs – hacking antivirus)