5 Fast Facts About The Latest High-Severity Symantec Vulnerabilities

Symantec Threats On The Rise

This week, the security vendor itself was in the hot seat for more than two dozen vulnerabilities in its anti-virus software, many of which were "high" severity. On Tuesday, Symantec posted an advisory on its site about the vulnerabilities in tandem with a blog post from a security researcher who helped the security vendor uncover the issues. The vulnerabilities affect most of the company's consumer and enterprise products, and some will need to be manually updated by partners or customers to remediate the issues. Here's what partners need to know to get up to speed on the vulnerabilities.

How Bad Are The Vulnerabilities?

Most of vulnerabilities in 25 of Symantec's products are listed as "high" severity vulnerabilities. What makes them particularly severe is that they are fairly easy to exploit, and from there hackers could "compromise an entire enterprise fleet using a vulnerability like this," said Tavis Ormandy, a researcher with Google's Project Zero that helped discover the vulnerabilities, in a blog post.

"These vulnerabilities are as bad as it gets," Ormandy said in the blog post. "They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."

What Products Are Affected?

Because Symantec uses the same core engine across many of its products, including its consumer and enterprise lines, the number of products affected by the vulnerabilities is extensive. According to an advisory posted by Symantec, the affected enterprise products include versions of Advanced Threat Protection, Symantec Data Center Security:Server (SDCS:S), Symantec Web Security .Cloud, Email Security Server .Cloud (ESS), Symantec Web Gateway, Symantec Endpoint Protection (SEP), Symantec Endpoint Protection for Mac (SEP for Mac), Symantec Endpoint Protection for Linux (SEP for Linux), Symantec Protection Engine (SPE), Symantec Protection for SharePoint Servers (SPSS), Symantec Mail Security for Microsoft Exchange (SMSMSE), Symantec Mail Security for Domino (SMSDOM), CSAPI, Symantec Message Gateway (SMG) and Symantec Message Gateway for Service Providers (SMG-SP). The vulnerabilities also affected nine of the company's consumer Norton products.

How Do The Vulnerabilities Work?

The vulnerabilities center mostly around the tool Symantec uses to unpack compressed executables, a tool that is run in the kernel. Ormandy used odd-sized records, which were incorrectly rounded up by the system, to create a buffer overflow. This could be triggered by something as simple as emailing a file or link to a victim, without the need for them to open it, because Symantec uses a filter driver to intercept all system I/O, Ormandy said. This vulnerability triggers a crash reliably when heuristics is set to "aggressive," though not as reliably when set to the default "automatic" setting by administrators. However, Ormandy said, hackers can get around this by triggering a change to the "aggressive" setting before exploitation.

Symantec said in its advisory that it is not aware of any of the vulnerabilities being exploited.

Is Symantec The Only One?

Symantec isn't the only anti-virus vendor to be hit with significant vulnerabilities like this. In his blog post, Ormandy highlighted similar examples found by Project Zero alone in Comodo, ESET, Kaspersky, FireEye and more. The problem, he said, is that these software solutions, by nature, are very extensive and complicated, but vendors often "cut corners" around recommended additions of sandboxing and a Security Development Lifecycle to compensate the security challenges presented by dedicated unpackers and emulation. Ormandy said it is important for companies to weigh the "tradeoff" here between an anti-virus solution and an increasing attack surface.

Is There A Fix Yet?

In an advisory about the vulnerabilities, Symantec said it has "verified these issues and addressed them in product updates." Symantec has created patches for all of the vulnerabilities in enterprise solutions, some of which are sent out automatically and others that require manual patching. The consumer Norton products were updated automatically through LiveUpdate, the company said.

"To fully mitigate the identified vulnerabilities, Symantec recommends applying the required patches to the affected products as soon as possible. This is the only means to ensure that installed products cannot be exploited," the advisory said.