A researcher from Google’s Project Zero has blasted Symantec for a long list of security flaws that have placed enterprise users at risk of experiencing cyberattacks. The Symantec antivirus flaws were described as “as bad as it gets”.
Symantec Antivirus Flaws Now Addressed but Companies May Still be at Risk
Symantec has now addressed all of the vulnerabilities and has released patches. All enterprise users of Symantec products are advised to check to make sure that their anti-virus products have been patched. While updates have been pushed out and should be applied automatically, users should check to make sure they have been correctly applied. Not all products can be updated automatically.
Malicious actors could potentially use the flaws to take control of enterprise computers. Entire networks could potentially be compromised. Malicious actors would not even require users to take any action to exploit the flaws. Many could be exploited simply by sending users an email.
According to Google researcher Tavis Ormandy who discovered the flaws, “millions of companies have been put at risk.” The security flaws affect all enterprise anti-virus products sold by Symantec, including Norton products.
Symantec was notified of the flaws and acted quickly to address all of the vulnerabilities, although the company was criticized for not discovering the flaws itself, especially considering their severity. Ormandy discovered that Symantec had used code from open source libraries to unpack compressed files. That code was four years out of date in once case and seven years out of data in another. Ormandy said in a recent blog post that “Dozens of public vulnerabilities in these libraries affected Symantec, some with public exploits.”
Other Symantec antivirus flaws were discovered that were potentially far more serious. Symantec used code to unpack and analyze ASPack compressed files which could be exploited to trigger a buffer overflow without any user interaction.
“An attacker could easily compromise an entire enterprise fleet using a vulnerability like this.” Said Ormandy.
In many cases, components in anti-virus software run under the highest level of privileges possible when this is unnecessary. This introduces unnecessary risk. Ormandy pointed out that many of the Symantec antivirus flaws could be exploited allowing remote code execution and could be used to create computer worms.
Antivirus Software Should Be Extensively Tested for Security Flaws
Symantec and other anti-virus software providers preach about the importance of protecting against threats, yet all too often they have failed to address serious flaws in their own products and have not even applied patches that have been available for years.
The Symantec antivirus flaws may be making headline news at the moment, but the company is far from the only antivirus software provider to have allowed vulnerabilities to persist in security products. Enterprises rely on these security products to protect their end points and networks and expect the software to be bulletproof. Enterprises do not expect the products could actually introduce risks.
All software developers must conduct rigorous checks of their software and need to scan for vulnerabilities in their own code, as well as that taken from third party developers. Ormandy said, “This means monitoring for new releases of third-party software used, watching published vulnerability announcements, and distributing updates. Nobody enjoys doing this, but it’s an integral part of secure software development.”