Security News Bug in Symantec’s anti-virus engine can lead to system compromise

[frogboy]

Content source

https://www.helpnetsecurity.com/2016/05/17/bug-symantec-anti-virus-engine/

Google Project Zero researcher Tavis Ormandy has unearthed a critical remote code execution vulnerability in the anti-virus engine powering Symantec’s endpoint security products (including Norton-branded ones).

The flaw (CVE-2016-2208) has been responsibly disclosed to the company, and it released a new version of its Anti-Virus Engine (v20151.1.1.4) with the fix incorporated. It will delivered to customers via LiveUpdate along with the usual definition and signature updates, Symantec reassured.

In the security advisory accompanying the security update, Symantec noted twice that “the most common symptom of successful exploitation resulted in an immediate system crash,” aka the “Blue Screen of Death.”

Full Article. Bug in Symantec's anti-virus engine can lead to system compromise - Help Net Security

 

[yigido]

Good job Google! In my humble opinion, Google should release a free antivirus They should bundle this AV with Google Chrome installers and everyone will benefit. What do you think?

 

[jamescv7]

@yigido: With enough resources then why not, however we should aware that even though Google is a big company however some category products didn't shine much.

-----------------------

Anyway another strong research investigation by Google, not so good to see that a ring 0 will be compromise again.

 

[Ink]

What do you think?

Google Safe Browsing.

 

[yigido]

Google Safe Browsing.

I said AV (with real-time protection) a software. I am not talking about services.
Yes, GSB does good job but it is not an AV.

 

[Ink]

Google isn't in the business of providing Antivirus software, but they provide top protection with Google Safe Browsing. However, you asked what others thought and that's my opinion. Anyway security-as-a-service is superior to traditional Antivirus, just look at the current landscape.

 

[Cats-4_Owners-2]

@frogboy, thank you sharing/posting this. Shortly after running Liveupdate, and then a quick scan, I experienced a BSOD. Although by habit I regularly run updates, it's ever an unfolding mystery living alongside The Matrix for which a bit more conscious protection is always very welcome!

 

[frogboy]

@frogboy, thank you sharing/posting this. Shortly after running Liveupdate, and then a quick scan, I experienced a BSOD. Although by habit I regularly run updates, it's ever an unfolding mystery living alongside The Matrix for which a bit more conscious protection is always very welcome!

Oh no. that is bad.

 

[Cats-4_Owners-2]

Oh no. that is bad.

Well, even as I hope this proves to be merely a coincidence in timing, I might just take this inopportune opportunity to switch to the latest Windows 10, and make this a silver lining of safety.

 

[Ryan Rafer]

 

[omidomi]

The antivirus engine used in multiple Symantec products has an easy-to-exploit vulnerability that could allow hackers to easily compromise computers.

The flaw was fixed by Symantec in Anti-Virus Engine (AVE) version 20151.1.1.4, released Monday via LiveUpdate. The flaw consists of a buffer overflow condition that could be triggered when parsing executable files with malformed headers.

According to Google security engineer Tavis Ormandy, who found the flaw, the vulnerability can be exploited remotely to execute malicious code on computers. All it takes is for the attacker to send an email with the exploit file as attachment or to convince the user to visit a malicious link.

Executing the file is not necessary, because the antivirus engine uses a driver to intercept all system input and output operations and will automatically scan the file as soon as it reaches the file system in any way.

The file extension doesn’t matter, as long as the file has a header identifying it as a portable executable file packed with ASPack, a commercial compressor utility.

The worst part about it is that the Symantec AVE unpacks such files inside the kernel, the highest privileged region of the OS. This means that successful exploitation can lead to a full system compromise.

“On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process,” Ormandy said in an advisory. “On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel, making this a remote ring0 memory corruption vulnerability—this is about as bad as it can possibly get.”

Symantec has rated the vulnerability with a 9.1 severity score out of 10 in the Common Vulnerability Scoring System (CVSS).

“The most common symptom of a successful attack would result in an immediate system crash, aka. Blue Screen of Death (BSOD),” the company said in its own advisory.

Users should make sure that they install the latest available updates available for their Symantec antivirus products and can check the version of the AVE using instructions on Symantec’s support website.

This is the latest in a long string of critical vulnerabilities found by Ormandy and other security researchers in antivirus products in recent years. Most of them have criticized antivirus vendors for continuing to perform dangerous file scanning operations, which historically have resulted in vulnerabilities, using kernel privileges.

source: A critical Symantec antivirus engine flaw puts PCs at risk of easy hacking