A security researcher from Google Project Zero, Tavis Ormandy, has discovered a very critical vulnerability in the Symantec Antivirus Engine (AVE), which allows an attacker to cause memory corruption as well as an attacker could also send the victim an e-mail a specially crafted file or a link to it and execute the arbitrary code remotely.

Severe Vulnerability Was Detected In Symantec Antivirus Products

CVE-2016-2208 A vulnerability related to how AVE parses executable files compressed using ASPack software.

The problem affects several Symantec and Norton, including Symantec Endpoint Antivirus, Norton Antivirus, Symantec Email Security, and Symantec Scan Engine.

As the Symantec Corporation said in its advisory on the issue dubbed CVE-2016-2208. “No user interaction is required to trigger the parsing of the malformed file.”

A security researcher from Google Project Zero, Tavis Ormandy, said that “For Linux, OS X, and other Unix-like systems, the exploit results in a remote heap overflow as root in the Symantec or Norton process, and On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability — this is about as bad as it can possibly get”.

When Tavis Ormandy attempted to inform Symantec about the code execution at the level of the kernel as root causes, an access violation in memory, which in most cases, led to an immediate crash of the system.

For exploitation, it only needs to send a specially crafted file, and no further action is required. Symantec Mail server was out of order as soon as the company’s product unpacked the file containing the PoC-designed researcher code.

The security researcher from Google Project Zero, Tavis Ormandy, explained, “This is a remote code execution vulnerability. Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it”.

LEAVE A REPLY

Please enter your comment!
Please enter your name here