Security Experts:

Critical Vulnerability in Symantec AV Engine Exploited by Just Sending an Email

Symantec has updated its Antivirus Engine (AVE) to address a critical memory corruption vulnerability discovered by Google Project Zero researcher Tavis Ormandy.

The flaw, tracked as CVE-2016-2208, is related to how the Symantec AVE parses executable files packed by the ASPack executable file compressor. Many Symantec and Norton products are affected, including Symantec Endpoint Antivirus, Norton Antivirus, Symantec Email Security and Symantec Scan Engine.

The vulnerability can be remotely exploited for code execution by sending a specially crafted file to the victim - either via email or by sending them a link pointing to the file. Ormandy has developed a proof-of-concept (PoC) exploit which he released after Symantec patched the issue.

“On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability - this is about as bad as it can possibly get,” Ormandy explained in an advisory made public on Monday.

In its own advisory, Symantec said the code executed at kernel level with root privileges causes a memory access violation, which in most cases results in an immediate system crash.

No interaction is required to trigger the exploit. In fact, when Ormandy sent his PoC to Symantec, the security firm’s mail server crashed after its product unpacked the file.

Ormandy reported this and other critical remote code execution vulnerabilities to Symantec in late April. The vendor patched CVE-2016-2208 on Monday with a Symantec Antivirus Engine update pushed out via LiveUpdate. However, the other flaws reported by the Google researcher cannot be addressed via LiveUpdate - they require maintenance patches which take more time to roll out.

This is not the first time Ormandy has found a security product vulnerability that can be exploited simply by sending an email or getting the user to click on a link. In December, the expert reported finding a similar flaw affecting FireEye appliances.

The researcher has analyzed the products of several security firms over the past months, including Trend Micro, ComodoKaspersky Lab, AVGAvast and others.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.