News
Major security hole found in Norton Antivirus
May 2016 by
Tavis Ormandy, from Google’s Project Zero, recently discovered a major security
vulnerability in Symantec’s Antivirus Engine (used in most Symantec and Norton
branded antivirus products). The security hole affects multiple platforms,
compromising Mac, Windows, and Linux systems.
According to Ormandy, “When parsing executables packed by an early version of
aspack, a buffer overflow can occur in the core Symantec Antivirus Engine used in
most Symantec and Norton branded Antivirus products. The problem occurs when section
data is truncated, that is, when SizeOfRawData is greater than SizeOfImage. This is
a remote code execution vulnerability. Because Symantec use a filter driver to
intercept all system I/O, just emailing a file to a victim or sending them a link is
enough to exploit it.”
Eldon Sprickerhoff, chief security strategist at eSentire says, “All non-trivial
code hosts vulnerabilities. It’s especially important when the code reaches deep
into the kernel (which basically controls all of the machines). Anything that can
subvert the security of the end-user from a low level is particularly critical. If
you’re looking for a good attack surface, security software (with antivirus as a
subset) is a pretty good one – especially when antivirus software is pretty much
guaranteed to be installed on most Microsoft workstations. Plus, there are only a
handful of "big players" that cover this market (e.g. the 80/20 rule). As a rule,
patching and applying updates as they become available remains the best defense when
a vulnerability like this is disclosed.”
