Google's Project Zero team searches for "zero-day" code flaws and gives companies 90 days (plus a two week grace period) to fix them. In this case, Ormandy published the blog post shortly after Symantec pushed the fixes, saying the antivirus company did resolve the bugs "quickly."
However, he excoriated Symantec for the danger of the errors and its incompetence in allowing them. In one case, he found a buffer overflow flaw in the company's "unpacker," which searches for hidden trojans and worms. "Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences," he says. "An attacker could easily compromise an entire enterprise fleet." He added that the unpackers have kernel access, which is "maybe not the best idea."LightRocket via Getty Images
The researcher built and released his own exploit to help Symantec develop an effective fix. He calls it a "100 percent reliable exploit, effective against the default configuration in Norton Antivirus and Symantec Endpoint [and] exploitable just from email or the web."
He reserved his harshest criticism for Symantec's vulnerability management, which it's supposed to use to check for published flaws and ensure it has the latest open-source updates. "Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries ... but hadn't updated them in at least 7 years."
Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries ... but hadn't updated them in at least 7 years
Symantec isn't the only antivirus company with issues, as the prolific Ormandy has also flagged Trend Micro, McAfee and others. He even questioned the wisdom of using antivirus software in the first place, calling it "a significant tradeoff in terms of increasing [the] attack surface."
The bugs affect Norton Antivirus on Mac and Windows, Endpoint and numerous other Symantec products. As mentioned, the fixes have already been patched, and in most cases, you'll get the updates automatically. As noted in the blog, however, "some of these products cannot be automatically updated, and administrators must take immediate action to protect their networks."