Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Desktops (Apple) Windows Linux

Symantec Antivirus Products Vulnerable To Horrid Overflow Bug (zdnet.com) 79

An anonymous reader writes: Tavis Ormandy of Google's Project Zero team has discovered a vulnerability in Symantec Antivirus Engine. The said engine is vulnerable to a buffer overflow when parsing malformed portable-executable (PE) header files, reports ZDNet. "Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious web site," Symantec said. "No user interaction is required to trigger the parsing of the malformed file." For Linux, OS X, and other Unix-like systems, the exploit results in a remote heap overflow as root in the Symantec or Norton process, Ormandy said in the Project Zero issue tracker. "On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability -- this is about as bad as it can possibly get," he said.The vulnerability, if exploited, results in kernel memory corruption without user action and instant blue-screening on Windows.
This discussion has been archived. No new comments can be posted.

Symantec Antivirus Products Vulnerable To Horrid Overflow Bug

Comments Filter:
  • Irony Overflow Exception.at lines one to infinity.

  • A thing of beauty (Score:4, Interesting)

    by cyriustek ( 851451 ) on Tuesday May 17, 2016 @01:34PM (#52129157)

    Tavis Ormandy is bad ass, and is really awesome at finding bugs. Whether it is Microsoft, Symantec, or anything else, he will find a bug if one is there.

    This is a beautiful bug! Having the scan engine loaded into the kernel is sheer lunacy. Yet even more evidence on why AntiVirus is a useless and dangerous program to have running on your system.

    • by tlhIngan ( 30335 ) <slashdot&worf,net> on Tuesday May 17, 2016 @02:52PM (#52129761)

      This is a beautiful bug! Having the scan engine loaded into the kernel is sheer lunacy. Yet even more evidence on why AntiVirus is a useless and dangerous program to have running on your system.

      Well, on one hand, it does make some sense. Windows still has the equivalent of a system call table, but it is hookable and the antivirus program will monitor who's hooking the system calls. In addition, it too will hook the system calls to be able to scan files the second they're downloaded as well as be able to block creation of processes using infected files, which helps block infection. It also means many user-space tricks are no longer valid (a user space scanner is vulnerable to malware that can hide itself inside the kernel).

      So it does make some sense to have a part of your scanner inside the kernel itself.

      Of course, the downside is your scanner is now the target of .attack because well, it's a nice juicy place to attack.

  • Linux users would have been better off without Symantec antivirus or any av for that matter.
  • Symantec actively makes Linux and UNIX less secure? Because other than the insanity Lennart Poettering gave us, I fail to see what a proper UNIX system would need with a symantec scanner. It's been far too long now for the myth of UNIX being insecure in the same ways (note the wording...) to still persist.
  • Yes! (Score:5, Funny)

    by c ( 8461 ) <beauregardcp@gmail.com> on Tuesday May 17, 2016 @01:40PM (#52129193)

    When Ormandy attempted to inform Symantec of the vulnerability, the email he sent crashed Symantec's mail server.

    Points to Symantec for eating their own dog food, I guess.

    • When Ormandy attempted to inform Symantec of the vulnerability, the email he sent crashed Symantec's mail server.

      Points to Symantec for eating their own dog food, I guess.

      Maybe ... but points off for having the Dog Food manufactured in China.

  • by Mike Van Pelt ( 32582 ) on Tuesday May 17, 2016 @01:51PM (#52129279)

    This isn't "as bad as it gets" yet. However, "Kernel memory corruption leading to blue screens" is "random stuff got sprayed across the kernel memory". If you can do that, and if you can get a handle on what got sprayed where... then, you have a decent chance of being able to improve that to "Kernel memory corruption leading to remote code execution. In Ring 0."

    And that's as bad as it gets.

    • by Anonymous Coward

      Find a similar bug in a SMM (ring -1) handler in your UEFI BIOS... or perhaps in the various subsystems both intel and amd keep on strewing over their offerings that include complete RTOSes running in ring -2 or -3, or in the LOM, maybe on a processor embedded in the southbridge, which might run diddled Chinese firmware complete with diddle-hider, or.... And yes, that southbridge thing sits on a management NIC and gets its input from there before the rest of the system even sees it, so any exploit more or l

  • Unless you don't update AV definitions, this is a nonissue. The AV definition files dated 5/16/16 rev24 included an updated av engine component that fixes this vulnerability. By the time I heard of this issue, our SEPM server had already downloaded the defs with fixed engine and 3/4 of our enterprise was already up to date.

    • by gweihir ( 88907 )

      I beg to disagree. This shows that the scanning engines are of low(est) quality and run in places they should not. While this particular bug is now fixed, the underlying problem is very much not so.

  • "instant blue-screening"? How about kernel-mode code execution, hence why "this is about as bad as it can possibly get".
  • You would think that of all things, scanning engines of AV products would have buffer-overflow protection in place. But apparently, these are the same bad 3rd-rated coders that are responsible for the problem in the first place. And doing this in kernel-space? How insane can you get?

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...