These days, users can be lulled into a false sense of security once they have installed an antivirus or anti-malware solution on their computers. While a number of vendors, including Symantec, release daily updates to malware definitions, this still allows brand new exploits to be leveraged until they are discovered and indexed.
Unfortunately, like any other software installed on a computer, anti-malware solutions can provide an additional vector for malicious parties to compromise a system.
Google Project Zero security researcher Tavis Ormandy recently discovered "multiple critical vulnerabilities" in addition to "many wormable remote code execution flaws" in a wide range of Symantec software.
In his update on the Project Zero website, Ormandy said that:
These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.
One of the critical vulnerabilities targeted a bug in the unpacker used by the core scan engine found in all Symantec and Norton branded products. While Symantec's unpacker contained code which had been derived from open source libraries, Ormandy criticized the company for not updating them "in at least 7 years." As a result, Symantec's software was affected by dozens of public vulnerabilities, some of them with published exploits.
The full list of affected software can be found on the Symantec website, with notable consumer-oriented mentions including, but not limited to:
- Norton 360
- Norton Antivirus
- Norton Internet Security
- Norton Security
While the discovered flaws have already been patched and updates distributed automatically where available, it may be worth your while to manually verify that your software is up to date.
The news comes two months after Symantec made a beta version of Norton Security Premium 2017 available to the public.