The hounds of the disastervilles Friday, 12 August 2016

News article written by Corbett Communications. The statements made or opinions expressed do not necessarily reflect the views of Engineers Australia.

When the bug hounds at Google decided to sniff out the Symantec brand and its Norton security products to hunt for computer bugs, they were surprised to find gaping holes you could drive a truck through to rephrase Google ‘Sherlock’, Tavis Ormandy, who stated “these vulnerabilities are as bad as it gets”.

Known as the Project Zero team of which Ormandy is part of, the team of security analysts identified flaws throughout the company’s entire product line as the same core engine is used. On 28 June, Google published the list of “multiple critical vulnerabilities including many wormable remote code execution flaws” in:

  • Norton Security, Norton 360, and other legacy Norton products (all platforms)
  • Symantec Endpoint Protection (all versions and platforms)
  • Symantec Email Security (all platforms)
  • Symantec Protection Engine (all platforms)
  • Symantec Protection for SharePoint Servers, and more.

Symantec issued a Securities Advisories notice the same day, revising it on 29 June and again on 15 July, stating, “Parsing of maliciously-formatted container files may cause memory corruption, integer overflow or buffer overflow in Symantec’s Decomposer engine. Successful exploitation of these vulnerabilities typically results in an application-level denial of service but could result in arbitrary code execution. An attacker could potentially run arbitrary code by sending a specially crafted file to a user” but added, “Symantec is not aware of these vulnerabilities being exploited in the wild”.

The Google document on the Symantec and Norton flaws is comprehensive and makes for good reading, with links demonstrating its claims. Along with the vulnerabilities, the Google team identified a collection of stack buffer overflows, memory corruption and more. While it said Symantec “had dropped the ball” it thanked the company’s security team for helping to resolve the bugs quickly.

Despite such widespread, worldwide use of Symantec’s products, it doesn’t appear to have done too much damage to the bottom line. The company reporting better-than-expected Q1 revenue, with its revenue forecast for the current quarter topping financial analysts’ estimates, according to Reuters.

Author: Desi Corbett