Google’s Project Zero team set out in 2014 to help make the Internet a safer place by searching for vulnerabilities in third-party software that could be used to conduct a cyber attack. The division recently struck gold, if you will, as it discovered multiple critical vulnerabilities affecting Symantec’s entire product line.
Security researcher Tavis Ormandy outlined the issues in a recent post on the Project Zero blog, describing the vulnerabilities as being as bad as it gets. That’s because they don’t require any user interaction, affect the default configuration and the software runs at the highest privilege levels possible.
In certain scenarios on Windows, vulnerable code is even loaded into the kernel which Ormandy said results in remote kernel memory corruption.
Ormandy notes that since Symantec uses the same core engine across its entire line, all Symantec and Norton branded antivirus products are affected including:
- Norton Security, Norton 360, and other legacy Norton products (All Platforms)
- Symantec Endpoint Protection (All Versions, All Platforms)
- Symantec Email Security (All Platforms)
- Symantec Protection Engine (All Platforms)
- Symantec Protection for SharePoint Servers
- And so on.
The researcher described a few of the many vulnerabilities they found. He took Symantec to task for its poor vulnerability management, noting that a quick look at the decomposer library showed they were using code derived from open source libraries that hadn’t been updated in at least seven years.
Ormandy did praise Symantec for its help in resolving the bugs so quickly. Google gives companies 90 days from the time of private disclosure before going public with vulnerabilities it finds.
That said, if you’re running any Symantec or Norton product, you’ll want to update it ASAP.
Image courtesy Tony Avelar, Getty Images