Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Businesses Google

Google Found Disastrous Symantec and Norton Vulnerabilities That Are 'As Bad As It Gets' (fortune.com) 113

Google's Project Zero team has discovered a heap of critical vulnerabilities in Symantec and Norton security products. The flaws, the team says, allow hackers to completely compromise people's machines by simply sending them malicious self-replicating code through unopened emails or un-clicked links. According to a Fortune report, the vulnerabilities affect millions of people who run the company's endpoint security and antivirus software -- all 17 enterprise products (Symantec brand) and eight consumer and small business products (Norton brand). Dan Goodin, reporting for Ars Technica:The flaws reside in the engine the products use to reverse the compression tools malware developers use to conceal their malicious payloads. The unpackers work by parsing code contained in files before they're allowed to be downloaded or executed. Because Symantec runs the unpackers directly in the operating system kernel, errors can allow attackers to gain complete control over the vulnerable machine. Tavis Ormandy, a researcher with Google's Project Zero, said a better design would be for unpackers to run in a security "sandbox," which isolates untrusted code from sensitive parts of an operating system.
This discussion has been archived. No new comments can be posted.

Google Found Disastrous Symantec and Norton Vulnerabilities That Are 'As Bad As It Gets'

Comments Filter:
  • by Anonymous Coward

    Putting anti-virus anything in a kernel is down right stupid.

    • by SharpFang ( 651121 ) on Wednesday June 29, 2016 @09:11AM (#52412749) Homepage Journal

      They need to hijack all network and file operations, so they do need hooks in the kernel. But these should be minimal, passing the data down to a sandbox without even peeking inside. The fact data that is *expected to be malicious* is allowed to interact directly with kernel level code is definitely FUBAR.

      • by bravecanadian ( 638315 ) on Wednesday June 29, 2016 @09:28AM (#52412853)

        They need to hijack all network and file operations, so they do need hooks in the kernel. But these should be minimal, passing the data down to a sandbox without even peeking inside. The fact data that is *expected to be malicious* is allowed to interact directly with kernel level code is definitely FUBAR.

        That is a good point.

        Obviously they do need to be in the kernel to check the operations, but the way you have broken it down makes a lot more sense than actually parsing items that are suspected of being malicious in kernel mode.

        Pretty sad when convenience trumps security even in a security product.

        • by Anonymous Coward
          I agree that this needs to be done in some sort of sandbox. I'd disagree that it was just for convenience though. For many years people have complained about how these anti-malware products slow their machine down. Imagine taking the hit for moving between kernel space and user space and setting up a sandbox. I'm sure this was done for performance reasons and not just convenience.
          • Setting up a sandbox is a one-time deal on startup. Giving the process a preferential treatment in the scheduler is viable approach; another is to bypass the whole heavyweight system of accounts and authentication and carve your own sandbox from scratch, a separate, minimal subsystem of lowered privileges, a'la VM.

            • by klubar ( 591384 )

              You probably need to recreate the sandbox each time (or at least at some frequency) because you can't tell if the sandbox has been corrupted by the malicious code. Trying to bypass the accounts & authentication just punches more holes in the OS.

              It's not an easy problem, especially if you are concerned about speed.

              • You MUST be monitoring the sandbox to tell if it's been corrupted by malicious code. Otherwise the whole scheme crashes and burns, as the attacker hijacks the sandbox and infects the clean uplink. And that can take a very short time, so "periodic re-creation of sandbox" is not a solution. Tight monitoring a'la running in a debugger is the way.

                Of course in case the sandbox is corrupted, it would need to be re-created, but that *hopefully* wouldn't be too frequent.

          • by lgw ( 121541 )

            Imagine taking the hit for moving between kernel space and user space and setting up a sandbox.

            Sandboxing can be minimal in user space, and anyway only needs to be done once. There shouldn't be any performance hit for doing the parsing work in user space - you don't have to copy the data around or anything, just arrange for the user-mode process to see the page. Latency for detection would get worse, due to the wait for the user-mode thread to notice it had work to do, but that should be sub-millisecond in a modern system.

        • by gtall ( 79522 )

          From a security standpoint, doing those data intensive checks shouldn't be in the kernel (separation kernels were designed for this). However, having to do process swaps to do the security checks is going to raise the hit on the processor. Security will always cost something.

        • by Bert64 ( 520050 )

          Convenience or performance...
          These security products are already bloated and slow enough as it is, if you add the extra overhead of passing the data to a sandboxed userland process for inspection it's going to make them even worse.

          But you are right, endpoint protection software violates many security best practices... Extremely complex code, dealing directly with untrusted data and running with a high privilege level.

          The only AV i run is on web and mail filtering boxes, the scanner runs under its own unpriv

        • Anyone else remember HTTP kernel modules like Tux? "hey, lets parse unfiltered unverified data in the kernel" that needed to die, and luckily enough it eventually did

      • Oh wait, this is Windows. It probably doesn't have anything like that in user space to intercept system calls.

        • by AndroSyn ( 89960 )

          LD_PRELOAD doesn't intercept system calls, it intercepts library calls. Some of which do wrap system calls, but LD_PRELOAD helps you ZERO if you have a statically linked executable.

          I'd imagine a lot of malware for Linux based operating systems very well might be statically linked, to avoid libc version dependencies.

    • by sunderland56 ( 621843 ) on Wednesday June 29, 2016 @09:12AM (#52412759)

      If it wasn't in the kernel, how would it constantly suck 50% of your CPU and slow your machine to a crawl?

    • Without adding file system hooks to the kernel, how should a real-time antivirus tool trap attempts to read potentially infected files?

      Sometimes I think the PC Matic guys are right: a whitelist is a more reliable way to block malware. But a whitelist requires more diligence to maintain if you don't want to turn a PC into a game console, and diligence is something sorely lacking in the non-technical majority.

      • A whitelist is a gateway to an app store only system with censorship and lack of choice. Also the 20%-30% cut is very bad with high cost pro software.

        • by tepples ( 727027 )

          But a whitelist requires more diligence to maintain if you don't want to turn a PC into a game console

          A whitelist is a gateway to an app store only system with censorship and lack of choice.

          That's sort of what I was getting at. It really depends on by whom it's managed. Some PC owners can be trusted to maintain their own whitelist; others can't.

          If by an experienced user
          A whitelist managed by an experienced user is highly effective, as described in an article by Roger A. Grimes [infoworld.com] and a SANS white paper [sans.org]. It's even better when you have a couple such users to handle application evaluation requests in a company's IT department.
          If by an inexperienced home PC owner
          A malware publisher can social enginee
          • as what some consider "censorship" others consider "peace of mind that I won't irreversibly break something".

            But then why ban adult themed apps and games?

            Why ban wolf 3D just as they app store does not like the content?

            Why ban NES EMU's just because big N said to?

            • by tepples ( 727027 )

              Why ban wolf 3D just as they app store does not like the content?

              That depends on whether they banned Id's parent company Zenimax from posting it or whether they banned third parties from posting it.

              Third parties, game assets included
              Zenimax has sent notices of claimed infringement [slashdot.org] to those hosting source ports bundled with game asset files (such as WAD or PAK).
              Third parties, game assets not included
              App store operators want all source ports distributed to the public to be "self-contained", with the engine and game assets in one package authorized by the game assets' copyr
              • by lgw ( 121541 )

                Whatever HTML you were hoping for in that post, it looks like goatse. Slashcode is terrible and especially the list tags are broken beyond belief. (Also, you just gave a detailed response to some rhetorical questions.)

      • by LichtSpektren ( 4201985 ) on Wednesday June 29, 2016 @09:57AM (#52413061)

        Without adding file system hooks to the kernel, how should a real-time antivirus tool trap attempts to read potentially infected files?

        Sometimes I think the PC Matic guys are right: a whitelist is a more reliable way to block malware. But a whitelist requires more diligence to maintain if you don't want to turn a PC into a game console, and diligence is something sorely lacking in the non-technical majority.

        A whitelist is useless. It will either--as you said--just lock down the computer a la Windows RT, or it won't prevent the admin from whitelisting whatever he wants to execute or install, thus retaining the exact same threat risk as before.

        For optimal security, what one should do before executing an unknown binary is (1) first run it in a safe testing environment [e.g. a virtual machine] and carefully monitor the std streams to make sure it's not trying to do something malicious, and/or (2) use mandatory access control [e.g. SELinux, AppArmor] to profile the binary before executing it, thus ensuring that it won't be able to do anything beyond the realm of what the admin expects it to do. As additional safeguards, ALWAYS have multiple backups of important data. Also, a ZFS/btrfs snapshot would be good too.

        But all of that's for the security-conscious. 99% of the human race won't bother with any of that--and that's why Windows has an atrocious reputation for security and crapware, because the UAC introduced in Vista has just conditioned people to click through everything, and even the very best antivirus programs (to this I am counting BitDefender and Kaspersky--NOT Norton, Symantec, McAfee, or Windows Defender) don't protect against zero-days. It's still not difficult to unintentionally cultivate malware just through email attachments and web browsers.

        Linux is infinitely superior in this regard, since you have the baked-in defenses from POSIX, but also because the important Linux distros all ship with SELinux or AppArmor sandboxing the privileges of the email client and browser by default.

        • "A whitelist is useless. It will either--as you said--just lock down the computer a la Windows RT, or it won't prevent the admin from whitelisting whatever he wants to execute or install, thus retaining the exact same threat risk as before."

          I wouldn't say that a white list is useless, but I'm not sure you really get the idea of white listing.

          A white list isn't to prevent execution of unknown code, it is to prevent the execution of unapproved code. And conflating the two results in mistakes of intent, purpos

          • by sjames ( 1099 )

            The problem is who makes the whitelist. It is either an expert who may or may not have motives other than safety in mind (your computer isn't really yours, which might be acceptable on a corporate PC) or it is the owner, in which case they could skip the whitelist system and just run the software they want to run. If you need a whitelist to keep software from running without the user's permission, then you actually just have a UI problem that should be fixed.

        • it won't prevent the admin from whitelisting whatever he wants to execute or install

          It's not supposed to stop those things.

          A whitelisting application is only supposed to stop things that admins do not want to run. It is specifically designed for competent system administrators---not home users.

          A home user would have to delegate whitelist management, which translates to subscription security services or curated application stores in the real world.

          to profile the binary before executing it

          You're joking, right?

          Enterprise applications have hundreds of interrelated binaries, and there is generally no data available on the exact functi

      • Sometimes I think the PC Matic guys are right: a whitelist is a more reliable way to block malware. But a whitelist requires more diligence to maintain if you don't want to turn a PC into a game console, and diligence is something sorely lacking in the non-technical majority.

        Don't worry, eventually once there is a sufficiently bad "digital pearl harbor" event EVERYTHING will be on a white list, because everything will be like itunes and google play, you (we) won't be able to do nuthin' on our PC without it going through a walled garden.

        A walled garden controlled by a bureaucratic quagmire along the lines of whatever "team" brought us the 0bamacare website.

  • Oy! And these people call themselves professionals!

  • A bug in Norton? Really? How surprising. That's never happened before, has it?

    • A bug in Norton? Really? How surprising. That's never happened before, has it?

      People pay for Norton products all the time but I cannot in good conscience ever recommend any product from them. I have repaired computers that were literally damaged by simply installing norton products. I could go on and on (and have, many times when appropriate) about how this software doesn't work and is literally worse than nothing - based on MY OWN personal observations, and I am NOT alone.
      But I don't go on about McAfee, I simply sum up McAfee products with one line: The only thing WORSE than any of

  • by ryanmc1 ( 682957 ) on Wednesday June 29, 2016 @09:24AM (#52412829) Homepage
    I remember when Windows Vista came out Microsoft tried to lock down the kernel, but got sued by the above mentioned security vendors. This is what happens when you put your trust in third party vendors.

    http://www.dailytech.com/Micro... [dailytech.com]
    • ryanmc1: "I remember when Windows Vista came out Microsoft tried to lock down the kernel, but got sued by the above mentioned security vendors. This is what happens when you put your trust in third party vendors." link [slashdot.org]

      'The whole "PatchGuard" concept shows how broken Microsoft's approach to an OS has become. The whole concept is to catch changes made by programs which already have full access to kernel space. By checking every five or ten minutes for a change, no less. That's inherently a futile exercise
    • by Anonymous Coward

      I was working for a developer who had a few video games published by Microsoft around the time NT was shipping. The games and marketing divisions where having it out with Dave Cutler and the NT team because the NT team was fighting like hell against putting anything that wasn't absolutely necessary in ring0 ("kernel") space. (The bulk of the NT team followed Cutler from DEC and were experience server OS developers). The NT team was taking the right approach for a server but on the hardware at the time tha

      • by epine ( 68316 )

        Ultimately they ended up putting it in ring0 and making other concessions for "consumers" and things just went down hill from there.

        You've misused the word "ultimately" to imply a stubborn impasse ending in capitulation.

        That's not how things went. Cutler kept all that flaky shit out of ring0 long enough to get most of the bugs out of the core OS, without becoming befuddled by having so many fingers to point. The game vendors had to suck it for a while with a development model where their own bugs were obv

  • Thank God! (Score:5, Funny)

    by __aaclcg7560 ( 824291 ) on Wednesday June 29, 2016 @09:25AM (#52412831)
    My workplace uses McAfee security products. We're safe.
  • Is this new, or from a few weeks ago? The date on TFA is from today but the description of the bug is nearly identical to stuff that hit the news stands about a month ago, even down to some identical wording. I can't tell if I need to make sure I get patched ASAP, or if this is something that's already been covered with earlier updates.

    • by Anonymous Coward

      A patch, Symantec Endpoint Protection 12.1.6 MP5 was released yesteray.

      Acccording to https://support.symantec.com/en_US/article.INFO3801.html

      In addition to the following fixes, this release addresses the following security advisories:

      Symantec Decomposer Engine Multiple Parsing Vulnerabilities (SYM16-010)
      Symantec Endpoint Protection Manager Multiple Security Issues (SYM16-011)

  • by Anonymous Coward

    Unencrypted shards. Who thought it would be a good idea to send "commandlets" across a network without the least bit of security? Commandlets that execute with admin privileges...

    The Air Force, that's who. They've bought into Tanium hook, line, and sinker.

  • The best antivirus ever is to use your fucking brain when you surf the Internet. And, if you don't have a brain, to stay OFF the fucking Internet.

    99.999% of all viruses and malware are distributed by one of these three methods:

    1) Spamming email addresses with infected links promising penile enlargement, instant riches, or notifying you of a problem with an account you don't even have at a bank you've never heard of (and yet people still fall for it)

    2) Porn sites. All of them spread viruses and malware. That

    • by flappinbooger ( 574405 ) on Wednesday June 29, 2016 @10:58AM (#52413599) Homepage

      You're wrong on #2.

      Porn sites do NOT spread malware. Maybe at one time they did, but not any more.

      I have an anecdote to prove my point (this is the internet, after all)

      A guy brings in his computer it has a virus. He's sure the kid has been doing "naughty" things on it and got it infected. Digital AIDS as it were.

      I fixed the virus and did an "audit" of the PC's surfing history and searches and so on, giving me a timeline up to the point where it got infected.

      The kid was indeed surfing porn. I asked the guy when he and momma went to bed. "10:00" he said. I told him I could tell. Little Johnny was surfing for "hot milfs", "Zoo porn" and other horrible things starting at 10:30. But the virus didn't get downloaded then.

      The virus got downloaded at 7:30 in the morning when the adult got on the PC and did a google search for "TV Repair in [local town name]" and followed whatever link was there that took him to a fake antivirus driveby download.

      In other words, Bestiality? Safe. TV Repair? Not safe.

      I have other examples too, such as malicious ads on PBS kids and Drudge report and so on.

      • by lgw ( 121541 )

        Not a surprise. I've worked with IT guys who had worked on porn sites. They're obsessive about security. Competition is so fierce that anything that would give the user the least hesitation simply isn't tolerated.

      • Bestiality? Safe. TV Repair? Not safe.

        That's why, when your TV breaks, you're supposed to go buy a new one.

        I mean, really. Fixing broken stuff? Not only does it violate the warrantee, you can end up getting viruses!

      • You're wrong on #2.

        Porn sites do NOT spread malware. Maybe at one time they did, but not any more.

        I have an anecdote to prove my point (this is the internet, after all)

        A guy brings in his computer it has a virus. He's sure the kid has been doing "naughty" things on it and got it infected. Digital AIDS as it were.

        I fixed the virus and did an "audit" of the PC's surfing history and searches and so on, giving me a timeline up to the point where it got infected.

        The kid was indeed surfing porn. I asked the guy when he and momma went to bed. "10:00" he said. I told him I could tell. Little Johnny was surfing for "hot milfs", "Zoo porn" and other horrible things starting at 10:30. But the virus didn't get downloaded then.

        The virus got downloaded at 7:30 in the morning when the adult got on the PC and did a google search for "TV Repair in [local town name]" and followed whatever link was there that took him to a fake antivirus driveby download.

        In other words, Bestiality? Safe. TV Repair? Not safe.

        I have other examples too, such as malicious ads on PBS kids and Drudge report and so on.

        Yeah I hate hearing people say "Stop browsing those Porn sites." Porn sites aren't going to infect their customers who not only bring ad revenue but many times subscription revenue as well.

    • by wbr1 ( 2538558 )
      Some of that is correct for joe home user. You apparently have not really seen targeted business malware. One of my clients is a moderate sized insurance firm. They get very legitimate looking and sounding emails on a daily basis that contain malware attachments. They have to use attachments every day in their normal work flow. Many of these emails are very specific, with industry knowledge, forms, and jargon that are used correctly, targeted at individuals in certain job functions using good grammar a
    • Incorrect on porn sites, these days it is actually the Church sites you've got to be careful of.

  • Who's daddy do you trust?

  • Internet Storm Center has a writeup and a test file you can download: https://isc.sans.edu/forums/di... [sans.edu]
  • "The flaws, the team says, allow hackers to completely compromise people's machines by simply sending them malicious self-replicating code through unopened emails or un-clicked links."

    Okay, now that's funny. I bet the NSA/FBI/CIA is having a fucking field day with this little flaw. Unless you can prevent everyone from sending you an email (!!) you can be compromised. And that is pretty much the whole fucking point of email: to receive an email.

    "The unpackers work by parsing code contained in files before th

  • This got me thinking of the maliciously constructed ZIP/RAR files that would expand endlessly from a very small zip into files that were larger than any hard drive could handle, as well as make directory/file structures so deep you couldn't delete them in windows. Sure these days they are hiding malicious payloads in there as the above bugs mention, but I could see one of these being the payload for annoyance purposes if they still exist.
  • Let's just be clear on what happened here. A library used to defend against malware itself has a zero-day which is targetable by malware. This from an industry that has decades of programming effort to doing just one thing, and attracts some of the best of the best as developers.

    Just pointing this out explicitly for everyone who thinks that IoT won't wreak real physical harm, potentially on a on a scale previously unheard of and (as a consequence) programming same will be not be tightly regulated and li

    • by Jeremi ( 14640 )

      IoT is going to end programming freedom as we know it.

      A more likely scenario is that IoT will end IoT as we know it.

      Once people realize that they don't really get much value out of putting their appliances on the Internet, but do risk getting hacked, the next big marketing push will be "certified air-gapped secure" appliances, aka traditional/non-IoT appliances, and the idea of IoT can join VRML, GeoCities, and DivX in the Hall of Technologies That It Turns Out Nobody Actually Wanted After All. (aka the HOTTITONAWAA).

  • by jonwil ( 467024 ) on Wednesday June 29, 2016 @05:11PM (#52416417)

    I have had Norton and Symantec on my own personal blacklist of entities I refuse to have anything to do ever since I installed some version of Norton Internet Security and it made my web browsing (and possibly other stuff) stop working until I completly uninstalled it.

    • I have not installed a Symantec product, or permitted a pre-installed Symantec product to remain, on any machine I control in a decade. In the five or six years before that I made several attempts to use Symantec security or utility products. They were never usable, in some cases they never worked at all. Antivirus programs that insisted on running at 95% CPU all the time if they were installed, but proved very difficult to uninstall. A backup program that did all their backups as uncompressed full image pr

  • " Tavis Ormandy, a researcher with Google's Project Zero," I wonder if tavis is any relation to Eugene Ormandy the great Conductor of the Philly Orchestra ???Hmmm.
  • Symantec is the elephant graveyard of software. Any software that Symantec acquires, no matter how good it was originally, will turn to crap. We saw it with Norton Antivirus, Norton Utilities, a couple other things.

    For a while their enterprise antivirus product bucked the curve and actually did reasonably well, but I guess that was just a statistical anomaly that Symantec has since corrected.

  • I thought everyone knew about not doing dumb stuff like this no later than 1999. The Unix world knew that way back in the 1980s. So I suppose Windows is still around 30 years behind.

  • Just how thoroughly have hackers licked antivirus programs? So thoroughly that even Symantec, which essentially invented commercial antivirus, is jumping ship on the concept, the Wall Street Journal reports. Antivirus "is dead," Symantec Senior VP Brian Dye tells the paper. "We don't think of antivirus as a moneymaker in any way." Symantec's new stance, he explains, will be to assume that hackers can and will break through any antivirus protection, and to focus on containing the damage once they do. Symant

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...