Critical vulnerabilities open Symantec customers to remote hack

Symantec has fixed dozens of critical vulnerabilities affecting its solutions that can be exploited by remote attackers for arbitrary code execution.

The popular Google Project Zero hacker Tavis Ormandy last month reported a number of critical security issues in Symantec solutions, and this is the good news. The bad news is that Symantec promptly fixed one of them requesting more time to solve the others due to their complexity.

This week Symantec published a security advisory to announce that all the vulnerabilities discovered by Ormandy have been resolved.

The list of flaws impacting 25 Symantec and Norton solutions includes buffer overflow (CVE-2016-2209 and CVE-2016-2210), memory corruption (CVE-2016-2211 and CVE-2016-3644), memory access violation (CVE-2016-2207 and CVE-2016-3646), and integer overflow (CVE-2016-3645) vulnerabilities.

According to Ormandy, the vulnerabilities resides in the “decomposer” component of the Symantec Antivirus Engine that was designed to “decomposer” library, and is used for extracting document metadata and embedded macros. In order to perform the operations it was designed for, the decomposer runs with system/root privileges.

“Today we’re publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.

These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.” Ormandy wrote in a blog post.

Most of the vulnerabilities could be triggered remotely by simply tricking victims into open a specially crafted file or visit a bogus website.

Ormandy also highlighted the importance of vulnerability management for antivirus vendors.

The analysis he made on the Symantec decomposer allowed him to discover that the library was using code from open source libraries like libmspack and unrarsrc that the company hadn’t updated in at least 7 years.

“Nobody enjoys doing this, but it’s an integral part of secure software development. Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries like libmspack and unrarsrc, but hadn’t updated them in at least 7 years.” wrote Ormandy.

The company published a security notice confirming the security vulnerabilities.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – hacking antivirus)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.