Tavis Ormandy struck again, and it hurts. In a note to blog, security researcher for Google Project Zero has just pin again Symantec security software. He has released seven new critical vulnerabilities that impact all publisher’s products, whether for the general public (Norton) or businesses (EndPoint Protection, Scan Engine, …).
“One can hardly do worse than these flaws. They require no user interaction, affect the configuration of origin and allow to obtain the highest level of execution privilege. In some cases on Windows, the same vulnerable code affects the core, “said Tavis Ormandy, adding that several of these flaws can be used to create worms, which is particularly dangerous. Last May, the Google engineer had already published a first dive group of critical vulnerabilities in Symantec software.
A careless development process
Among the new found flaws in Mr. Ormandy details linked to a PowerPoint document analysis (CVE-2016-2209). It shows the source code to support, how a buffer overflow in this feature allows an attacker to execute arbitrary code on the system with administrator rights.
The researcher also critical management of software development at Symantec. According to him, the publisher has integrated open source libraries in its products without updating it since … seven! “Dozens of public libraries in these vulnerabilities impact the Symantec products. For some of them, there are even public exploits, “he says.
His advice is simple: always check that the third-party software does not have vulnerabilities and they are updated. “Nobody wants to do that, but it must fully be part of a secure development process,” he added. Symantec is obviously pretty far from such a quality standard, which is strange for a specialized security editor!
The good news is that Symantec has released patches for all these faults. The most Norton products, in particular, will be updated automatically by the LiveUpdate system. Norton Bootable Removal Tool will require manually download the new version. However, no update is available now for Norton Security for Mac.