Symantec Corporation (commonly known as Symantec) is an American technology company headquartered in Mountain View, California, United States. The company produces software for security, storage, backup and availability – and offers professional services to support its software. Recently a severe vulnerability was detected in its Anti-Virus Engine (AVE).
Severe Vulnerability Was Detected In Symantec Antivirus ProductsA security researcher from the Google Project Zero Tavis Ormandy has discovered a very critical vulnerability in the Symantec Antivirus Engine (AVE), which allows an attacker to cause memory corruption as well as an attacker could also send the victim an e-mail a specially crafted file or a link to it and execute the arbitrary code remotely.
CVE-2016-2208 A vulnerability related to how AVE parses executable files compressed using ASPack software. The problem affects a number of Symantec and Norton, including Symantec Endpoint Antivirus, Norton Antivirus, Symantec Email Security, and the Symantec Scan Engine.
As the Symantec Corporation said in its advisory on the issue dubbed CVE-2016-2208. “No user interaction is required to trigger the parsing of the malformed file.”
Security researcher from the Google Project Zero Tavis Ormandy said that “For Linux, OS X, and other Unix-like systems, the exploit results in a remote heap overflow as root in the Symantec or Norton process, and On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability — this is about as bad as it can possibly get”.
When Tavis Ormandy attempted to inform the Symantec about the code execution at the level of the kernel as root causes an access violation in memory, which in most cases leads to an immediate crash of the system. For the exploitation, it just only needs to send a specially crafted file and no further action is required. Symantec Mail server is out of order as soon as the company’s product unpacked the file containing the PoC-designed researcher code.
The security researcher from the Google Project Zero Tavis Ormandy explained that, “This is a remote code execution vulnerability. Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it”.