Symantec products vulnerable to buffer overflow bug

The Google Project Zero team has found a vulnerability in Symantec's Antivirus Engine that results in instant blue-screening and kernel memory corruption without user action on Windows.

(Image: Tavis Ormandy/Google Project Zero)
(Image: Tavis Ormandy/Google Project Zero)

The Google Project Zero team has found a vulnerability in Symantec's Antivirus Engine. Run on Windows, the vulnerability results in instant blue-screening and kernel memory corruption.

Tavis Ormandy, an information security engineer in Google's Project Zero team discovered the vulnerability, which is a buffer overflow that occurs when parsing malformed portable-executable (PE) header files.

Ormandy went on to explain that, "On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability -- this is about as bad as it can possibly get,"

According to Ormandy, the exploit results in a remote heap overflow as root in the Symantec or Norton process when used in Linux, OS X, and other Unix-based systems. Detailing his findings in the Project Zero issue tracker, Ormandy said that “"No user interaction is required to trigger the parsing of the malformed file."

In an advisory on the issue, numbered CVE-2016-2208, Symantec said, "such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious web site."

According to Symantec, the "most common symptom of a successful attack", would be a system crash and a blue screen of death.

When Ormandy attempted to inform Symantec of the vulnerability, the email he sent crashed Symantec's mail server. "This is a remote code execution vulnerability. Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it," Ormandy explained.

Symantec pushed out a fix for the issue on Monday, and said products that run it's LiveUpdate product should be be patched. According to Ormandy, Symantec Endpoint Antivirus, Norton Antivirus, Symantec Scan Engine, and Symantec Email Security on all platforms were affected, as well as "probably all other Symantec Antivirus products".

Ormandy has already found vulnerabilities in quite a few other antivirus products, including Kaspersky Antivirus, Avast Antivirus, FireEye, AVG AntiVirus, and MalwareBytes.

Fraser Kyne, regional SE director at Bromium spoke with SCMagazineUK.com and said that, “the fact that AV isn't enough to protect from modern threats has been accepted in the industry for a long time – even by the AV vendors themselves. However, the realisation that security software itself can actually introduce new vulnerabilities will be a shock to many.”

“There is a simple rule: more code equals more vulnerabilities. When you install software, you add to the attack surface of the machine. AV is no exception. Add to this that malware detection rates are terrible, and that detection in concept is largely useless for polymorphic, targeted, 0-day malware, and it starts to question the use of AV at all.”

“Common wisdom is to apply a layered approach of defence-in-depth. But if you do this without layers of separation/isolation and rely on detection at each layer, then you're kidding yourself and wasting your money. Tools like micro virtualization must be considered in order to fill the gaps.”

Aftab Afzal, senior vice president and general manager of EMEA at NSFOCUS IB spoke with SC and said that, “This is a very unfortunate incident for Symantec, however no security solution is infallible, so that's why defence in depth with multi-layered controls is always the recommended approach. Attack vectors continue to evolve, and this is clearly not the first time we have seen antivirus being reversed engineered.”

“The endpoint is last in the line, therefore putting in place cloud, perimeter or sandbox environments will limit the impact.  Using the latest vulnerability (and) threat intelligence, whilst working with a diverse range of  vendors, can reduce the risk. Smart vendor selection will meet most all budgets.”

Matthias Maier, security evangelist Splunk spoke with SC and said that, “one measure to up level your security posture and reduce the impact of modern attacks that make it into your network is to use data science and machine learning for automated analysis, based on all log and activity data to detect attacks early and enable security teams to respond quickly. With visibility across the entire IT infrastructure, companies can spot normal versus abnormal activity and understand what's going on to be able to respond in a more timely manner with the right actions.”