The Channel logo


By | Iain Thomson 6th July 2016 21:17

Attention, small biz using Symantec AV: Smash up your PCs, it's the safest thing to do

Security patch for ridiculously bad bugs still weeks away

If you're using Symantec's Endpoint Protection Small Business Edition (SEP SBE) then you can forget about security for a week or so, as the company won't be patching the "as bad as it gets" security holes in its software for a while.

A Register reader who wishes to remain anonymous received an email from Symantec confirming users of the cloud SEP SBE package will be getting patched in the next few days. But the workstation version patches won't be pushed out until the middle of the month, and the Mac version by the end of July.

Meanwhile, if you're still using the older SEP SBE (on-premises) product, then you can forget about it – the system isn't going to get a fix for the problems that allow an attacker full run of a Symantec system without the need for a user to be involved in any way.

"Symantec has released antivirus definitions to detect and block exploitation," the company told us in an emailed statement. "In addition, updates to Symantec Endpoint Protection Small Business Edition will be available by mid-July. We recommend that customers apply these updates as soon as they are available."

That's going to be worrying for anyone using Symantec's kit, and a fairly shocking indictment of how slow Symantec has been on this. The flaws, disclosed publicly last week, were discovered and privately reported by the Google Project Zero security team in May, and gave Symantec three months to fix the issues (although in the past it's been known to extend its deadline).

The issues with Symantec's code certainly seem to run deep. The Google team found wormable remote code execution holes running through Symantec's security suite that could be exploited without any need for a dumb user to open the wrong file.

"These vulnerabilities are as bad as it gets," said Project Zero team member Tavis Ormandy. "They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible."

That a company billing itself as the world's leading security company is still scrabbling to do so speaks volumes. It also makes the SEP SBE advertising slogan "You need to feel safe" darkly comic. To make matters worse, more flaws are on the way.

Symantec was one of the biggest security firms of the 1990s, but has since fallen from grace. It's divesting itself of non-core assets and has gone through three CEOs in as many years. If you're relying on the firm for your security, you may want to look at other options. ®

comment icon Read 26 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe