Google's Project Zero has published details of embarrassing security failings in Symantec and Norton anti-virus products which allow attackers to execute arbitrary malicious code on a system simply by sending an email or hosting a web page.
Discovered by Google's Tavis Ormandy as part of the Project Zero
security programme, the vulnerabilities in Symantec's products are extremely serious: the anti-virus engine produced by the company suffers from a buffer overflow condition which can be used to execute arbitrary code on the target system as simply as sending an email - even if the target never opens said email. While the flaw exists on all operating systems, a boneheaded design flaw in the Windows release makes things worse: the scanning engine is loaded into kernel space, allowing it to corrupt and modify the Windows kernel in ring0 - 'about as bad as it can possibly get,
' as described by Ormandy.
Symnantec has issued a patch which prevents Ormandy's exploit from executing, though concerns are likely to remain for some time with regard to the company's approach to developing supposed security products. Said patch should have already applied to affected systems, though Symantec is advising users to manually run the LiveUpdate tool in order to ensure that the flaw is patched properly and fully.
According to Symantec, the company is 'not aware of exploitation of or adverse customer impact from this issue.