Attention: Symantec- and Norton-branded endpoint protection and anti-virus users
Security researchers have announced – and Symantec has confirmed – a dangerous vulnerability in many Symantec- and Norton-branded anti-virus and endpoint protection products. The vulnerability exists in the core software, which drives the products and could allow an attacker to gain root-level control of a host.
Just emailing a file to a victim or sending them a link exploit is enough to trigger an attack. The victim doesn’t need to open the file or interact with it in any way. Since no interaction is necessary to exploit it, this is a vulnerability with potentially devastating consequences to Norton and Symantec customers.
The vulnerability takes advantage of the anti-virus software’s behavior as it does its job. Anti-virus software uses a technique called “unpacking” in order to open incoming files and links to examine them for malware and malicious web links. The way Symantec products perform this technique allows malicious software to execute as its being examined. This can allow the malware to take over the anti-virus’ processes, potentially leaving it running at the highest system-level permissions. If the malware runs at this permission level, it could perform any type of task that the attacker desires. For instance, an attacker could use this vulnerability to create a particular type of malware that’s known as a “worm,” meaning that it could self-replicate and spread throughout an organization’s networks.
Symantec has released patches to fix the vulnerability. Some products are being automatically patched as the anti-virus receives the periodic updates to its definitions files. Unfortunately, not all products can be patched this way and must be manually repaired. Symantec has published a list of its products and the patching process.
If you’re a Symantec or Norton customer, you should immediately contact your vendor to determine impact and corrective action, and should immediately run a product update to install the most recent patches. This is urgent and should be placed as a top priority.