Instead of building up to it gracefully, I’m just going to tell you right now: Make sure any Symantec security products you use are fully updated. On Tuesday, a Google researcher published about serious vulnerabilities in Symantec’s offerings, and you need to make sure you have the right patches before you read anything else. You can check this advisory to confirm that you have the most recent updates.
OK. Tavis Ormandy, a researcher in Google’s Project Zero cybersecurity analysis group, revealed the “details of multiple critical vulnerabilities” in a blog post Tuesday. He explained that the bugs are in Symantec’s “core engine,” which underlies all of its products—including brands like Norton Security, Norton 360, and Symantec Endpoint Protection. Symantec said in its security advisory that patches should have downloaded automatically to every private user through the company’s LiveUpdate system. For enterprise customers, some updates have to be installed manually.
So far there haven’t been any reports of the vulnerability being exploited maliciously, but that doesn’t lessen the severity of these security flaws. Ormandy writes that the Symantec Security Team was responsive when Project Zero brought up these vulnerabilities. He adds, though, that overall, “Symantec dropped the ball here. … These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible.”
Symantec has millions of individual customers, not to mention its enterprise offerings for everything from small businesses to massive institutions. In this case the problem was in Symantec’s vetting system for new code. The “unpackers” in its products screen anything that’s being downloaded or any new program that wants to run for malware that’s been “packed” inconspicuously. The problem was that Symantec products were doing this unpacking in the operating system kernel itself (the fundamental layer of the operating system which coordinates everything else). As a result, attackers could hijack the unpacking process to take over the kernel, and by extension the entire computer. Ormandy summed it up, “Unpackers in the Kernel: Maybe not the best idea?”
It’s been clear for a long time that antivirus products don’t offer a complete cybersecurity solution on their own. Symantec even admitted that in 2014. But for now, the programs remain an important line of defense. It’s just troubling to be reminded that they can create as many problems as they solve.
