When you download antivirus software, you expect it to protect your computer, not threaten it. And yet for all the good that Symantec/Norton's security programs do, it turns out they may be able to do even more harm.
An amazingly disastrous flaw could let cybercriminals attack a Windows machine at the deepest level, regardless of whether you have the home (Norton) or enterprise (Symantec) version of the company's programs — as do tens of millions of computers worldwide. Worse still: Not every system will get the fix automatically.
This information comes from Google's Project Zero security-research blog, on which security boffin Tavis Ormandy periodically writes about the latest flaw he's discovered in commercial antivirus software.
In this case, the affected programs include, at the very least, Norton Security and its predecessors Norton 360, Norton AntiVirus and Norton Internet Security, as well as Symantec Endpoint Protection, Symantec Email Security, Symantec Protection Engine, Symantec Protection for SharePoint Servers, and pretty much any other antivirus product bearing the Symantec or its Norton imprints.
"These vulnerabilities are as bad as it gets," Ormandy wrote. "They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible."
Ormandy cited the flaws' susceptibility to both remote code execution and privilege escalation. This means that not only could an attacker take control of your computer remotely, but he or she could gain administrator access as well. From there, installing malware, stealing information or drafting it into a botnet would be trivial.
Explaining exactly how the flaws work is complicated, although you can read Ormandy's write-up for the full details. Essentially, when you download a compressed executable file (i.e., a program), an antivirus program decompresses, or "unpacks" the file to examine the file's code for vulnerabilities before the suspect file is opened or run.
The problem is that the unpacker program Symantec uses is itself vulnerable to attack, because it doesn't properly handle malformed software designed to confuse it. Mismatched parameters can trigger a memory-buffer overflow in the unpacker, letting an attacker slip in malicious code that can seize control of the Symantec or Norton antivirus software.
Users don't even need to open or run the malicious file. Just getting it on your system — for example, as an email attachment or web link — is enough, since Symantec's antivirus engine will scan and unpack it by default. (Ormandy noted that he has found similar flaws in antivirus products made by Kaspersky and ESET.)
This functionality is a risky proposition at the best of times, but Symantec's programs make it worse by unpacking and examining the suspicious compressed programs right in the Windows kernel, the deepest level of the operating system. That's like bringing a ticking time bomb into police headquarters to defuse it. Anyone who's had to remove a piece of malware that targeted the Windows kernel will tell you how nearly impossible it is to pry a stubborn bit of malware out of there.
Ormandy pointed out other buffer overflows and memory corruptions in the Symantec file unpacker, all of which could threaten PCs to a lesser degree. Symantec has pushed out patches for all of the flaws, but you may not be protected just yet.
First, the good news: There's no evidence that hackers were able to exploit these any of these flaws in the wild. Better news: Every affected Symantec program has been patched.
Still, enterprise users will have to do some legwork to protect themselves. LiveUpdate will take care of the patch for home users; otherwise, Symantec has provided a list of enterprise programs with instructions on how to patch each one. Needless to say, this update is probably even more critical for those who use Symantec to protect their businesses.
If there's a lesson to be learned from this, it's that no program is unhackable. The best an average user can do is to keep all of his or her software updated constantly — especially the software that keeps unwanted programs out.