The popular Google Project Zero hacker Tavis Ormandy last month reported a number of critical security issues in Symantec solutions, and this is the good news. The bad news is that Symantec promptly fixed one of them requesting more time to solve the others due to their complexity.
This week Symantec published a security advisory to announce that all the vulnerabilities discovered by Ormandy have been resolved.
The list of flaws impacting 25 Symantec and Norton solutions includes buffer overflow (CVE-2016-2209 and CVE-2016-2210), memory corruption (CVE-2016-2211 and CVE-2016-3644), memory access violation (CVE-2016-2207 and CVE-2016-3646), and integer overflow (CVE-2016-3645) vulnerabilities.
According to Ormandy, the vulnerabilities resides in the “decomposer” component of the Symantec Antivirus Engine that was designed to “decomposer” library, and is used for extracting document metadata and embedded macros. In order to perform the operations it was designed for, the decomposer runs with system/root privileges.
“Today we’re publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.
Most of the vulnerabilities could be triggered remotely by simply tricking victims into open a specially crafted file or visit a bogus website.
Ormandy also highlighted the importance of vulnerability management for antivirus vendors.
The analysis he made on the Symantec decomposer allowed him to discover that the library was using code from open source libraries like libmspack and unrarsrc that the company hadn’t updated in at least 7 years.
“Nobody enjoys doing this, but it’s an integral part of secure software development. Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries like libmspack and unrarsrc, but hadn’t updated them in at least 7 years.” wrote Ormandy.
The company published a security notice confirming the security vulnerabilities.
[adrotate banner=”9″]
(Security Affairs – hacking antivirus)
A former U.S. NSA employee has been sentenced to nearly 22 years in prison for…
A new malware named Cuttlefish targets enterprise-grade and small office/home office (SOHO) routers to harvest…
A flaw in the R programming language enables the execution of arbitrary code when parsing…
The China-linked threat actors Muddling Meerkat are manipulating DNS to probe networks globally since 2019.…
Finnish hacker was sentenced to more than six years in prison for hacking into an…
The US government’s cybersecurity agency CISA published a series of guidelines to protect critical infrastructure…
This website uses cookies.