Researcher Hacks Symantec's AV Via EmailLesson to Admins: Be Sure Remote Execution Flaw is Patched
Anti-virus vendors must dread hearing from Tavis Ormandy. The Google Project Zero researcher has been hunting bug vulnerabilities in anti-virus products for at least a year, unearthing holes in the very software that is supposed to protect companies (see Yes Virginia, Even Security Software Has Flaws).
Ormandy's target this time was Symantec. He found several remote code execution vulnerabilities, including one in the core scanning engine used in all Symantec and Norton-branded products. The problem is so severe that even a single email engineered to exploit the flaw could compromise a computer, depending on the platform.
"Just receiving an email is enough, no need to open or read it (even webmail, so long as the tab is open)," Ormandy wrote on Twitter.
Symantec said Monday in an advisory that it had issued a fix for the flaw - designated CVE-2016-2208 - through its LiveUpdate service. The up-to-date version of its anti-virus engine is "20220.127.116.11." Other issues found by Ormandy, however, can't be fixed by LiveUpdate and will require a separate update. A Symantec spokeswoman says the company is working on those issues.
Ormandy's findings were met with surprise, even by computer security pros used to seeing the worst. "A securely configured PC/Mac (no Flash, disabled Office macros, fully patched) is hackable simply by having anti-virus scan inbound mail?!," wrote Kenn White, a security researcher and co-director of the Open Crypto Audit Project.
So, why are anti-virus programs so attractive a target for hackers? To work effectively - and detect malicious activity - the applications require deep access into a computer's operating system. On Windows, Symantec's scanning engine is loaded into the kernel, which is the core code inside the operating system. Successful use of Ormandy's scanning engine bug on Windows causes a memory corruption issue within the kernel and could allow remote attackers to seize full control of some systems.
"This is about as bad as it can possibly get," Ormandy writes in his advisory. The result on Windows is the "blue screen of death." On Linux, Unix and Mac OS X, the successful exploitation of the remote heap overflow problem can give an attacker root access to the system.
Ormandy couldn't be reached for comment. Since last year, Ormandy has found more than 45 flaws within security products from vendors such as Kaspersky Lab, ESET, FireEye, Avira and Sophos.