A series of very serious flaws have been discovered in Symantec and Norton antivirus software, which Google says are “as bad as it gets”. A patch has been released.
Google’s Project Zero scours the web for ‘zero-day’ vulnerabilities, giving guilty companies three months to fix them. Its latest discovery is quite the doozy.
Symantec’s antivirus software – which also supports the Norton brand – is achieving quite the opposite of what it was designed, and marketed, to do.
Finding multiple “critical vulnerabilities”, Project Zero’s Tavis Ormandy said this is “as bad as it gets” as affected users don’t even need to interact with compromised files.
“They affect the default configuration,” he said, “and the software runs at the highest privilege levels possible”.
Ormandy notes that one of the vulnerabilities is so worrying that just emailing a file to a victim or sending them a link to an exploit is enough to trigger it, “the victim does not need to open the file or interact with it in anyway.
“Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.”
Symantec was briefed on the problems and, shortly before the Project Zero comment, it released its own advisory notes – listing 25 affexted products in total – with a patch rolled out for the problems.
Indeed, Ormandy credits Symantec with bringing out a raft of fixes that should be automatic updates for users but, just in case, best check that you’re running the latest version of your product.
Symantec, in turn, thanked Ormandy for pointing out the problem, “and working closely with us as we addressed the issues”.
It has advised users to keep administrative privileges to a small number of people, with only those allowed remote access.
Other obvious recommendations include things like maintaining up-to-date software, running “under the principle of least privilege” and fighting back by running firewalls, anti-malware apps and antivirus software to provide the best chances of catching issues early on.
Symantec image via GagliardiImages/Shutterstock