Bad news for all computer users (Windows and Mac OS) working with Symantec’s Anti Virus-/security solutions. Tavis Ormandy from Google’s project zero has uncovered a vulnerability that affects all Norton/Symantec security products.
Tavis Ormandy has published his findings at How to Compromise the Enterprise Endpoint, but all security products from this vender are affected so far.
Unpacker runs in kernel mode …
AV products are using unpackers to extract archives and scan the unpacked content. The problem with Symantec: They are using an implementation, that executes the unpacker in kernel modus. If a malware is able to use a vulnerability, it will be executed with System rights (Windows) or as root (Mac OS and other operating systems). That’s the first “bad”…
Some Antivirus vendors solve this problem with two solutions. First, they write dedicated unpackers to reverse the operation of the most common packers, and then use emulation to handle less common and custom packers. The problem with both of these solutions is that they’re hugely complicated and prone to vulnerabilities. Googles project Zero recommend sandboxing and a Security Development Lifecycle.
The project Zero team was able to compromise the unpacking libraries with stack overflow attacs and executes code in kernel mod. The screenshot shown above indicates, that it was possible to switch off network protection in AV scanner – or even do nastier things. In other words: Symantec security products are nothing but a big placebo.
Open Source libraries not updated since 7 years
The 2nd bad that droped my jaw: as Tavis Ormandy had a quick look at de decomposer library shipped by Symantec. It showed that they were using code derived from open source libraries like libmspack and unrarsrc, but hadn’t updated them in at least 7 years. Well done, the last vulnerability in libmspack was reported in 2015.
Which products are affected?
The bug is in the core scan engine’s decomposer library, so all Symantec and Norton branded products are affected. Here is a short list:
Norton Antivirus (Mac, Windows)
Symantec Endpoint (Mac, Windows, Linux, UNIX)
Symantec Scan Engine (All Platforms)
Symantec Cloud/NAS Protection Engine (All Platforms)
Symantec Email Security (All Platforms)
Symantec Protection for SharePoint/Exchange/Notes/etc (All Platforms)
All other Symantec/Norton Carrier, Enterprise, SMB, Home, etc antivirus products.
Symantec issued its own advisory, which listed 17 Symantec enterprise products and eight Norton consumer and small business products being affected. They offers hotfixes and updates for products listed. Also auto updaters shall install the modified components. But the question remains: Is it time to update the products, or will it be a better decision, to uninstall that stuff and select a competitor.