Project Zero by Google finds a host of severe vulnerabilities in Symantec's security suites

Tavis Ormandy, a security analyst on the Project Zero team recently had a go at Symantec’s cyber-security offerings (this includes Norton by Symantec) and discovered that almost all the offerings had such severe vulnerabilities that they could “compromise the entire enterprise fleet” and worse.

Symantec is a cyber-security company that’s very well-known in the PC and enterprise space. Their suite of security offerings for PCs and enterprise is renowned the world over. While they did get a bad rap for the heavy consumption of resources (something that they’re yet to live down), a recently published report from Google Project Zero has now established that their core security offerings are extremely vulnerable.

Google’s Project Zero was established in 2014 and was tasked with finding zero-day exploits in software. A zero-day exploit is an undisclosed vulnerability in a software program that can be exploited by a hacker.

Tavis Ormandy, a security analyst on the Project Zero team recently had a go at Symantec’s cyber-security offerings (this includes Norton by Symantec) and discovered that almost all the offerings had such severe vulnerabilities that they could “compromise the entire enterprise fleet” and worse.

Adding that these vulnerabilities are “as bad as it gets,” he said that in some cases, an attacker could compromise an entire system “without any user interaction.” The problem is exacerbated by three issues:

  • Symantec uses the same, vulnerable engine across all their offerings
  • Most of these products run at the “highest privilege settings possible.”
  • Vulnerable code can be loaded into the Windows kernel.

In layman’s terms, this means that you’re entrusting your vault’s security to someone who may be partially deaf and blind.

To be fair, Ormandy has pointed out that services from Comodo, ESET, Kaspersky and many others are also host to their share of serious vulnerabilities. In fact, he places little faith in antivirus software in general because “it’s a significant tradeoff in terms of increasing the attack surface.” The more complex the code, the higher the chance of vulnerabilities, especially when developers try to cut corners.

He places special emphasis on Symantec’s vulnerabilities because some of the code runs in the kernel. The kernel is the very core of an operating system (Windows, in this case) and forms the interface between hardware and software. Compromise the kernel and you compromise the entire system.

He created an exploit, which he sent to Symantec so as to assist them in fixing the vulnerability, and says that it is “100 percent reliable.”

Another aspect of security that Symantec has reportedly slacked off on is vulnerability management, states Ormandy. Software programmers need to keep a close eye on new releases of any third-party code that they might have used, tracking vulnerability announcements and more. This needs to be done on a regular basis and your software needs to be updated on time.

Ormandy claims that while Symantec did use a lot of open-source libraries, they did not update them in over 7 years. Think about that for a minute, Windows 7 was released in 2009. Ormandy found numerous other bugs and vulnerabilities in the system and if you want to go through them in more detail, you can read about them here.

Ormandy does point out that Symantec resolved the bugs “quickly.”

If you’re using Symantec security products and automatic updates are enabled, most of these vulnerabilities would have already been patched. If not, ensure that you run software update (Why would you turn it off in the first place?).

System admins, be warned, not all of these essential updates will be pushed automatically and you’ll have to double-check to ensure that your systems are secure.

Tech2 is now on WhatsApp. For all the buzz on the latest tech and science, sign up for our WhatsApp services. Just go to Tech2.com/Whatsapp and hit the Subscribe button.





Top Stories


also see

science