This week, a new critical Symantec vulnerability has been discovered that enables an attacker to trigger a memory buffer overflow, allowing root-level control over a system to be gained without any user interaction. The cross-platform security vulnerability affects many Symantec and Norton anti-virus software releases.

Critical Vulnerability in Symantec AVE Scan Engine is “As Bad as it Can Possibly Get”

The critical fault has been found in the core scanning engine used in both Norton and Symantec anti-virus software, including Norton antivirus, and Symantec’s Scan Engine, Endpoint Antivirus, and Email Security, although other products may also be affected. The vulnerability affects Windows, Mac, Linux, and UNIX platforms.

Since the scan engine intercepts all system input and output, the vulnerability could be exploited by an attacker by simply sending a file attachment to a user’s inbox. The user would not even be required to open the file in order for the vulnerability to be exploited.

The vulnerability could therefore allow an attacker to take full control of the device on which the software has been installed with no user interaction necessary. The vulnerability has been described as “as bad as it can possibly get” by Tavis Ormandy – the researcher at Google Project Zero who discovered the security flaw.

Ormandy said that if the vulnerability is exploited it causes kernel memory corruption on Windows because “the scan engine is loaded into the kernel (wtf!!!).” It must be said, unpacking malware in the kernel was perhaps not the best decision. Ormandy also discovered a number of other remote code execution security vulnerabilities in Symantec products.

The new critical Symantec vulnerability has now been addressed – AVE version 20151.1.1.4 – although the remaining vulnerabilities have yet to be remediated. Users of Symantec and Norton branded products will have to wait until a patch is made available.

According to an advisory issued by Symantec, the critical vulnerability affects the AVE scanning engine and occurs “when parsing malformed portable-executable header files.” If one of these malformed portable-executable header files is downloaded in an application or document, or if a malicious website is visited which downloads one of these files onto the device, the flaw could be exploited. The flaw could also be exploited if an attacker sends one of these files to the user as an email attachment, or even if a link is sent in an email. The parsing of the malformed file would be triggered.

Symantec reported that “Sufficiently malformed, the code executed at the kernel-level with system/root privileges causing a memory access violation.”

The critical Symantec vulnerability needs to be remediated as soon as possible. If you run Symantec anti-virus software and your system is not set to update automatically, it is essential to perform a manual Symantec LiveUpdate to address the issue. A patch is expected to be released in the next few days to address the other serious vulnerabilities discovered by Ormandy.