Symantec has updated its Antivirus Engine (AVE) to address a critical memory corruption vulnerability discovered by Google Project Zero researcher Tavis Ormandy.
The flaw, tracked as CVE-2016-2208, is related to how the Symantec AVE parses executable files packed by the ASPack executable file compressor. Many Symantec and Norton products are affected, including Symantec Endpoint Antivirus, Norton Antivirus, Symantec Email Security and Symantec Scan Engine.
The vulnerability can be remotely exploited for code execution by sending a specially crafted file to the victim – either via email or by sending them a link pointing to the file. Ormandy has developed a proof-of-concept (PoC) exploit which he released after Symantec patched the issue.
“On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability – this is about as bad as it can possibly get,” Ormandy explained in an advisory made public on Monday.
In its own advisory, Symantec said the code executed at kernel level with root privileges causes a memory access violation, which in most cases results in an immediate system crash.
No interaction is required to trigger the exploit. In fact, when Ormandy sent his PoC to Symantec, the security firm’s mail server crashed after its product unpacked the file.
Ormandy reported this and other critical remote code execution vulnerabilities to Symantec in late April. The vendor patched CVE-2016-2208 on Monday with a Symantec Antivirus Engine update pushed out via LiveUpdate. However, the other flaws reported by the Google researcher cannot be addressed via LiveUpdate – they require maintenance patches which take more time to roll out.
This is not the first time Ormandy has found a security product vulnerability that can be exploited simply by sending an email or getting the user to click on a link. In December, the expert reported finding a similar flaw affecting FireEye appliances.
The researcher has analyzed the products of several security firms over the past months, including Trend Micro, Comodo, Kaspersky Lab, AVG, Avast and others.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
Latest News
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- Chrome 111 Update Patches High-Severity Vulnerabilities
- BreachForums Shut Down Over Law Enforcement Takeover Concerns
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Malware Trends: What’s Old Is Still New
- Burnout in Cybersecurity – Can It Be Prevented?
- Spain Needs More Transparency Over Pegasus: EU Lawmakers
- Ransomware Will Likely Target OT Systems in EU Transport Sector: ENISA
