Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Critical Vulnerability in Symantec AV Engine Exploited by Just Sending an Email

Symantec has updated its Antivirus Engine (AVE) to address a critical memory corruption vulnerability discovered by Google Project Zero researcher Tavis Ormandy.

Symantec has updated its Antivirus Engine (AVE) to address a critical memory corruption vulnerability discovered by Google Project Zero researcher Tavis Ormandy.

The flaw, tracked as CVE-2016-2208, is related to how the Symantec AVE parses executable files packed by the ASPack executable file compressor. Many Symantec and Norton products are affected, including Symantec Endpoint Antivirus, Norton Antivirus, Symantec Email Security and Symantec Scan Engine.

The vulnerability can be remotely exploited for code execution by sending a specially crafted file to the victim – either via email or by sending them a link pointing to the file. Ormandy has developed a proof-of-concept (PoC) exploit which he released after Symantec patched the issue.

“On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability – this is about as bad as it can possibly get,” Ormandy explained in an advisory made public on Monday.

In its own advisory, Symantec said the code executed at kernel level with root privileges causes a memory access violation, which in most cases results in an immediate system crash.

No interaction is required to trigger the exploit. In fact, when Ormandy sent his PoC to Symantec, the security firm’s mail server crashed after its product unpacked the file.

Ormandy reported this and other critical remote code execution vulnerabilities to Symantec in late April. The vendor patched CVE-2016-2208 on Monday with a Symantec Antivirus Engine update pushed out via LiveUpdate. However, the other flaws reported by the Google researcher cannot be addressed via LiveUpdate – they require maintenance patches which take more time to roll out.

This is not the first time Ormandy has found a security product vulnerability that can be exploited simply by sending an email or getting the user to click on a link. In December, the expert reported finding a similar flaw affecting FireEye appliances.

The researcher has analyzed the products of several security firms over the past months, including Trend Micro, ComodoKaspersky Lab, AVGAvast and others.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Endpoint Security

The Zero Day Dilemma

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...