Symantec patched multiple vulnerabilities that could allow easy pickings for an attacker.
One of the problems is while the security giant does have patches, not not all can occur via automatic updates.
“These vulnerabilities are as bad as it gets,” Tavis Ormandy, a member of Google’s Project Zero initiative, said in a blog post. “They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
The vulnerable code is part of ASPack, a commercial packing software piece Symantec uses to analyze files scanned for malware.
Ormandy said Symantec runs this component in the operating system’s kernel, under the highest privilege available. A vulnerability in this component gives the attacker the ability to take over the system, without the need for a second-stage exploit to escalate their access.
Besides this main issue, the researcher also found multiple stack buffer overflows and memory corruption issues.
Ormandy also discovered Symantec used open source libraries in its products, such as libmspack and unrarsrc, but did not update them for the past seven years. An attacker would only need to use one of the publicly known issues for these tools.
Exploitation of some of these issues is trivial, Ormandy said, adding some don’t require user interaction, and some are even “wormable,” being able to spread to other nearby devices on their own.
An attacker would only need to send an email to the target containing a malicious file that exploits one of these issues. Additionally, the attacker could host their exploit code online and embed a link to the malicious URL inside the email.
The list of affected products includes a large number of older, legacy Norton products, Symantec Endpoint Protection, Symantec Email Security, Symantec Protection Engine, Symantec Protection for SharePoint Servers, and many other more.
In all cases, the vulnerabilities are cross-platform. Symantec did release patches for all affected products.