Tavis Ormandy, a security researcher working for Google’s Project Zero, discovered and helped Symantec fix a grave security issue affecting its Symantec Antivirus Engine, the core of many of Symantec’s security products.
Ormandy explains that, in certain situations when certain type of data reaches the Symantec Antivirus Engine (SAE), the product handles those files in an insecure manner that leads to a buffer overflow.
The security bug is trivial to exploit
“When parsing executables packed by an early version of aspack, a buffer overflow can occur in the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products,” Ormandy. “The problem occurs when section data is truncated, that is, when SizeOfRawData is greater than SizeOfImage.”
This causes the security engine to crash in a non-standard way that then grants the attacker root privileges and the power to execute code on the machine. The security issue, tracked with the CVE-2016-2208 identifier, affects all operating systems: Mac, Linux, and Windows.
Ormandy says the issue can be exploited in a very simple manner. Because the flaw resides in the scanning engine itself, which opens and reads ANY file, not just those the user manually selected for a scan, the crook can simply send an exploit package via email or a link pointing to a Web-hosted exploit.
The engine will scan its content automatically and compromise the user’s machine, no user interaction needed.
Exploitation on Windows leads to BSOD
On Windows computers, Ormandy says this is even more of an issue because the scan engine runs directly on the Windows kernel.
Exploiting this bug on Windows leads to the corruption of the kernel’s Ring 0, the operating system’s level with the most privileges that interacts most directly with the physical hardware such as the CPU and memory. This leads to a state of “kernel panic,” which sometimes can lead to a BSOD (Blue Screen of Death).
CVE-2016-2208 affects Symantec products such as Symantec Endpoint Antivirus, Norton Antivirus, Symantec Scan Engine, and Symantec Email Security. Ormandy claims that, in theory, the bug should affect any other product where Symantec deployed SAE.
The researcher disclosed the problem to Symantec, and the company issued a patch that customers can download and apply to their software.
Inspecting malicious code in the kernel? That’s like the bomb squad bringing a suspicious package into a kindergarten to open it. CC— Patrick Gray (@riskybusiness)
Critical Symantec fix being released later today via LiveUpdate. The other critical RCE vulns cant be fixed via LU, will require a patch. — Tavis Ormandy (@taviso)
Just happened to have an up to date Symantec box lying around and got to play with‘s bug. — Rob Fuller (@mubix)