The Channel logo


By | Richard Chirgwin 17th May 2016 01:27

Symantec antivirus bug allows utter exploitation of memory

Cross-platform nasty is simplicity itself to exploit, so get patching peeps

British white hat hacker and Google Project Zero chap Tavis Ormandy is making life miserable for Symantec again: the bug-hunter has turned up an exploitable overflow in “the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products”.

Described here, the problem is in how the antivirus products handle executables compressed using an early version of the Aspack compression tool.

If the engine encounters truncated section data – “when SizeOfRawData is greater than SizeOfImage” – the buffer overflow occurs. Ormandy writes:

Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it.”/blockquote>

Entertainingly, it's a cross-platform bug that affects Windows, Mac, and *nix platforms. In Mac / Linux / Unix, an attacker can cause a remote heap overflow in the Symantec process, giving the attacker root access.

The Windows bug is even better: “On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability - this is about as bad as it can possibly get,” he writes.

Either email or browser attacks will work, Ormandy says, attaching a test case file to his post. Ormandy tweeted that Live Update will carry some fixes, while others will require a patch. ®

comment icon Read 21 comments on this article or post a comment alert Send corrections


Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella

Chris Mellor

Thousands of layoffs announced as spinning rust enters its death spiral


STRASBOURG, JUNE 29, 2016: The seat of the European Parliament. by Marco Aprile for shutterstock. EDITORIAL USE ONLY
Plan b, image via Shutterstock
EU workers, new markets: post-Brexit pressure on May & Co
Tough question, pic via Shutterstock
Honest mistake with your licensing? Audit police look at it on a 'case by case basis'