Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Critical Vulnerability in Symantec AV Engine Exploited by Just Sending an Email

Symantec has updated its Antivirus Engine (AVE) to address a critical memory corruption vulnerability discovered by Google Project Zero researcher Tavis Ormandy.

Symantec has updated its Antivirus Engine (AVE) to address a critical memory corruption vulnerability discovered by Google Project Zero researcher Tavis Ormandy.

The flaw, tracked as CVE-2016-2208, is related to how the Symantec AVE parses executable files packed by the ASPack executable file compressor. Many Symantec and Norton products are affected, including Symantec Endpoint Antivirus, Norton Antivirus, Symantec Email Security and Symantec Scan Engine.

The vulnerability can be remotely exploited for code execution by sending a specially crafted file to the victim – either via email or by sending them a link pointing to the file. Ormandy has developed a proof-of-concept (PoC) exploit which he released after Symantec patched the issue.

“On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability – this is about as bad as it can possibly get,” Ormandy explained in an advisory made public on Monday.

In its own advisory, Symantec said the code executed at kernel level with root privileges causes a memory access violation, which in most cases results in an immediate system crash.

No interaction is required to trigger the exploit. In fact, when Ormandy sent his PoC to Symantec, the security firm’s mail server crashed after its product unpacked the file.

Ormandy reported this and other critical remote code execution vulnerabilities to Symantec in late April. The vendor patched CVE-2016-2208 on Monday with a Symantec Antivirus Engine update pushed out via LiveUpdate. However, the other flaws reported by the Google researcher cannot be addressed via LiveUpdate – they require maintenance patches which take more time to roll out.

This is not the first time Ormandy has found a security product vulnerability that can be exploited simply by sending an email or getting the user to click on a link. In December, the expert reported finding a similar flaw affecting FireEye appliances.

Advertisement. Scroll to continue reading.

The researcher has analyzed the products of several security firms over the past months, including Trend Micro, ComodoKaspersky Lab, AVGAvast and others.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Endpoint Security

Several major companies have published advisories in response to the Downfall vulnerability affecting Intel CPUs.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Endpoint Security

The Zero Day Dilemma

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...