Software Integrity Blog


Serious Symantec AV engine vulnerability to be patched

Google Project Zero Researcher Tavis Ormandy disclosed a Remote Heap/Pool memory corruption vulnerability in all versions of Symantec and Norton branded Antivirus products.

In a forum post said that the way the Symantec filter works, just emailing a compromised file or sending a compromised link to a victim is enough to exploit the vulnerability, CVE-2016-2208.

The flaw centers around how the Symantec/Norton antivirus engine handles executable files packed by early versions of ASPack. In certain cases it can result in a buffer overflow. Ormandy explained “on Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability – this is about as bad as it can possibly get.”

Symantec has responded with confirmation and a patch. “We have confirmed your findings and have resolutions as well as doing additional reviews,” the company wrote on Ormandy’s forum post. “We can easily update a version of one of our products, Norton Security for example, with an updated engine by the end of the week and if you would like can provide you with an beta release of that for your review. Unfortunately, not all products will be updated the same which of course has impacts on final release of updates and an associated Security Advisory. Some are quick and fairly simple updates, live update of course, but others require a maintenance patch build, test, release which takes a bit longer.”

Over past last year or so, Ormandy has focused on the antivirus market. He recently demonstrated flaws in Trend Micro’s Password Manager as well as vulnerabilities in in Kaspersky Lab, FireEye, and Sophos antimalware products.


More by this author