Enterprises that depend on Symantec?EU?s antivirus products to protect their networks may want to rethink their strategies. According to Google?EU?s Project Zero, Symantec?EU?s flagship enterprise security product is riddled with vulnerabilities that could be putting millions of companies at risk.
The bugs affect all Symantec and Norton branded antivirus products, the Google team said. ?EU?These vulnerabilities are as bad as it gets,?EU? Google researcher Tavis Ormandy wrote on Project Zero?EU?s Web site yesterday. ?EU?They don?EU?t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.?EU?
Project Zero is a Google-run effort to search for vulnerabilities, particularly so-called ?EU?zero-day?EU? flaws in software products, and then alert the developers of the problems. In this case, Ormandy said Symantec was able to fix the problems and update its software quickly. However, some of the products affected by the vulnerabilities cannot be automatically updated, so administrators have to manually update their systems to protect their networks.
While Ormandy praised Symantec for its quick response, he was highly critical of the company’s failure to uncover the vulnerabilities. ?EU?As with all software developers, antivirus vendors have to do vulnerability management,?EU? Ormandy said. ?EU?This means monitoring for new releases of third-party software used, watching published vulnerability announcements, and distributing updates. Nobody enjoys doing this, but it?EU?s an integral part of secure software development.?EU?
In particular, the company failed to update code used in its products that had been derived from open source libraries such as libmspack and unrarsrc for at least seven years, Ormandy said. ?EU?Symantec dropped the ball here,?EU? Ormandy said.
One of the most serious problems in Symantec?EU?s code has to do with…