The Channel logo


By | Richard Chirgwin 17th May 2016 01:27

Symantec antivirus bug allows utter exploitation of memory

Cross-platform nasty is simplicity itself to exploit, so get patching peeps

British white hat hacker and Google Project Zero chap Tavis Ormandy is making life miserable for Symantec again: the bug-hunter has turned up an exploitable overflow in “the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products”.

Described here, the problem is in how the antivirus products handle executables compressed using an early version of the Aspack compression tool.

If the engine encounters truncated section data – “when SizeOfRawData is greater than SizeOfImage” – the buffer overflow occurs. Ormandy writes:

Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it.”/blockquote>

Entertainingly, it's a cross-platform bug that affects Windows, Mac, and *nix platforms. In Mac / Linux / Unix, an attacker can cause a remote heap overflow in the Symantec process, giving the attacker root access.

The Windows bug is even better: “On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability - this is about as bad as it can possibly get,” he writes.

Either email or browser attacks will work, Ormandy says, attaching a test case file to his post. Ormandy tweeted that Live Update will carry some fixes, while others will require a patch. ®

comment icon Read 21 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe