SymantecIndividuals and businesses alike turn to Symantec for system security but a recently discovered exploit reveals that some versions of the software may do more harm than good.  Tuesday, researchers discovered a bug that affects the majority of the Symantec product line and exposes millions of users to the threat of automatically propagating attacks.

The news leaked shortly after Symantec issued its own advisory on vulnerabilities found in 17 Symantec enterprise products and eight Norton consumer and small business products.  The full extent of the threat was not made clear, however, until Tavis Ormandy; a researcher with Google’s Project Zero provided the full scoop.

Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.

An attacker could easily compromise an entire enterprise fleet using a vulnerability like this.

The severity of the threat comes from the way that Symantec products interact with, or rather, filter data on a system.  The Symantec security engine views all files and links available in a session and attempts to analyze them before they are opened or clicked. This means that even though the user doesn’t personally activate a potentially malicious file, the security software will still unpack and parse the contained code. Because Symantec runs directly in the operating system kernel, errors in the code can allow attackers to gain complete control over a machine.

The Tuesday Symantec advisory took steps to address the worst of these auto executing vulnerabilities.  If you or your business uses Symantec products it is absolutely important that you apply the latest software updates. For most private users, these updates are installed automatically but enterprise versions of the software may require authorization before it can be applied.  Given the severity of the threat, this is one update that you should check for and install immediately.

– Richard Keene
IT Computer Support of New York
Webmaster and Lead Designer