Batu69 Posted June 29, 2016 Share Posted June 29, 2016 Some bugs are wormable and affect a large number of products Symantec's heuristics engine is the source of some issues Tavis Ormandy, a member of Google's Project Zero initiative, has discovered a series of vulnerabilities in Symantec's security products. Due to the nature of these flaws, they affect a large number of Symantec products, and not all can be patched via automatic updates. "These vulnerabilities are as bad as it gets," Ormandy writes on Google's blog. "They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption." The vulnerable code to which Ormandy is referring is part of ASPack, a commercial packing software piece that Symantec uses to analyze files scanned for malware. Running code in the kernel is always a bad idea Ormandy says that Symantec's mistake was to run this component in the operating system's kernel, under the highest privilege available. A vulnerability in this component gives the attacker a golden ticket to full control over the system, without the need for a second-stage exploit to escalate their access. Besides this main issue, CVE-2016-2208, the researcher also claims he found multiple stack buffer overflows and memory corruption issues. The researcher also discovered that Symantec had used open source libraries in its products, such as libmspack and unrarsrc, but forgot to update them for the past seven years. An attacker would only need to employ one of the publicly known issues for these tools. Exploitation is trivial, bugs affect multiple products, on all platforms Exploitation of some of these issues is trivial, according to Ormandy, who says that some don't require user interaction, and some are even wormable, being able to spread to other nearby devices on their own. An attacker would only need to send an email to the target containing a malicious file that exploits one of these issues. Additionally, the attacker could host their exploit code online and embed a link to the malicious URL inside the email. The list of affected products includes a large number of older, legacy Norton products, Symantec Endpoint Protection, Symantec Email Security, Symantec Protection Engine, Symantec Protection for SharePoint Servers, and many other more. In all cases, the vulnerabilities are cross-platform. Symantec has released patches for all affected products. In May, Ormandy helped Symantec plug another security hole in its product. Besides Symantec, in the past, the researcher found bugs in the software of security vendors such as FireEye, ESET, Kaspersky, Bromium, Trend Micro, Comodo, Malwarebytes, Avast, and AVG. Article source Link to comment Share on other sites More sharing options...
TheMountain Posted June 29, 2016 Share Posted June 29, 2016 "Besides Symantec, in the past, the researcher found bugs in the software of security vendors such as FireEye, ESET, Kaspersky, Bromium, Trend Micro, Comodo, Malwarebytes, Avast, and AVG." This is one of many reasons why I don't use real-time AV protection. The cure is worst than the disease. Link to comment Share on other sites More sharing options...
humble3d Posted July 19, 2016 Share Posted July 19, 2016 Symantec and Norton Security Products Contain Critical Vulnerabilities Alert (TA16-187A) Symantec and Norton Security Products Contain Critical Vulnerabilities Original release date: July 05, 2016 Systems Affected All Symantec and Norton branded antivirus products Overview Symantec and Norton branded antivirus products contain multiple vulnerabilities. Some of these products are in widespread use throughout government and industry. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system. Description The vulnerabilities are listed below: CVE-2016-2207 Symantec Antivirus multiple remote memory corruption unpacking RAR [1] CVE-2016-2208 Symantec antivirus products use common unpackers to extract malware binaries when scanning a system. A heap overflow vulnerability in the ASPack unpacker could allow an unauthenticated remote attacker to gain root privileges on Linux or OSX platforms. The vulnerability can be triggered remotely using a malicious file (via email or link) with no user interaction. [2 CVE-2016-2209 Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow [3] CVE-2016-2210 Symantec: Remote Stack Buffer Overflow in dec2lha library [4] CVE-2016-2211 Symantec: Symantec Antivirus multiple remote memory corruption unpacking MSPACK Archives [5] CVE-2016-3644 Symantec: Heap overflow modifying MIME messages [6] CVE-2016-3645 Symantec: Integer Overflow in TNEF decoder [7] CVE-2016 -3646 Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink [8] Impact The large number of products affected (24 products), across multiple platforms (OSX, Windows, and Linux), and the severity of these vulnerabilities (remote code execution at root or SYSTEM privilege) make this a very serious event. A remote, unauthenticated attacker may be able to run arbitrary code at root or SYSTEM privileges by taking advantage of these vulnerabilities. Some of the vulnerabilities require no user interaction and are network-aware, which could result in a wormable-event. Solution Symantec has provided patches or hotfixes to these vulnerabilities in their SYM16-008 [9 (link is external)] and SYM16-010 [10 (link is external)] security advisories. US-CERT encourages users and network administrators to patch Symantec or Norton antivirus products immediately. While there has been no evidence of exploitation, the ease of attack, widespread nature of the products, and severity of the exploit may make this vulnerability a popular target. References [1] Symantec Antivirus multiple remote memory corruption unpacking RAR [2] How to Compromise the Enterprise Endpoint (link is external) [3] Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow [4] Symantec: Remote Stack Buffer Overflow in dec2lha library [5] Symantec: Symantec Antivirus multiple remote memory corruption unpacking MSPACK Archives [6] Symantec: Heap overflow modifying MIME messages [7] Symantec: Integer Overflow in TNEF decoder [8] Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink [9] Symantec SYM16-008 security advisory (link is external) [10] Symantec SYM16-010 security advisory (link is external) Revisions July 5, 2016: Initial Release https://www.us-cert.gov/ncas/alerts/TA16-187A Link to comment Share on other sites More sharing options...
Batu69 Posted July 19, 2016 Author Share Posted July 19, 2016 Thread has been merged. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.