Latest in Culture

Image credit: Tony Avelar/Bloomberg via Getty Images

Google: Symantec antivirus flaws are 'as bad as it gets'

Norton and Symantec users should take "immediate action" to update.
4860 Shares
Share
Tweet
Share
Save

Sponsored Links

Tony Avelar/Bloomberg via Getty Images

Products from Symantec that are supposed to protect users have made them much more open to attack, according to Google. Researcher Tavis Ormandy has spotted numerous vulnerabilities in 25 Norton and Symantec products that are "as bad as it gets," he says. "Just emailing a file to a victim or sending them a link to an exploit is enough to trigger it -- the victim does not need to open the file or interact with it in any way." Symantec has already published fixes for the exploits, so users would do well to install them immediately.

Google's Project Zero team searches for "zero-day" code flaws and gives companies 90 days (plus a two week grace period) to fix them. In this case, Ormandy published the blog post shortly after Symantec pushed the fixes, saying the antivirus company did resolve the bugs "quickly."

However, he excoriated Symantec for the danger of the errors and its incompetence in allowing them. In one case, he found a buffer overflow flaw in the company's "unpacker," which searches for hidden trojans and worms. "Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences," he says. "An attacker could easily compromise an entire enterprise fleet." He added that the unpackers have kernel access, which is "maybe not the best idea."

Norton anti-virus on display at the Commart Next-Gen 2014 in
LightRocket via Getty Images

The researcher built and released his own exploit to help Symantec develop an effective fix. He calls it a "100 percent reliable exploit, effective against the default configuration in Norton Antivirus and Symantec Endpoint [and] exploitable just from email or the web."

He reserved his harshest criticism for Symantec's vulnerability management, which it's supposed to use to check for published flaws and ensure it has the latest open-source updates. "Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries ... but hadn't updated them in at least 7 years."

Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries ... but hadn't updated them in at least 7 years

Symantec isn't the only antivirus company with issues, as the prolific Ormandy has also flagged Trend Micro, McAfee and others. He even questioned the wisdom of using antivirus software in the first place, calling it "a significant tradeoff in terms of increasing [the] attack surface."

The bugs affect Norton Antivirus on Mac and Windows, Endpoint and numerous other Symantec products. As mentioned, the fixes have already been patched, and in most cases, you'll get the updates automatically. As noted in the blog, however, "some of these products cannot be automatically updated, and administrators must take immediate action to protect their networks."

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
4860 Shares
Share
Tweet
Share
Save

Popular on Engadget

'Minecraft' now has 112 million players per month

'Minecraft' now has 112 million players per month

View
Central banks to question Facebook over Libra cryptocurrency

Central banks to question Facebook over Libra cryptocurrency

View
Verizon will launch home 5G everywhere mobile service is available

Verizon will launch home 5G everywhere mobile service is available

View
Initial Creative Emmy winners include Apple, Netflix and NASA

Initial Creative Emmy winners include Apple, Netflix and NASA

View
New York state bans sales of flavored e-cigarettes

New York state bans sales of flavored e-cigarettes

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr