Google’s Project Zero research team has been dedicated to finding zero-day exploits and vulnerabilities for nearly two years now. While it formed in response to the Heartbleed vulnerability, it searches for problems in both Google’s own products and those of other companies — and the flaws it has uncovered in security software from Symantec are, in the words of Google researcher Tavis Ormandy, “as bad as things get.”
Symantec uses a common engine for its enterprise and home security products,according to Ormandy. The list of critically compromised products includes:
- Norton Security, Norton 360, and other legacy Norton products (All Platforms)
- Symantec Endpoint Protection (All Versions, All Platforms)
- Symantec Email Security (All Platforms)
- Symantec Protection Engine (All Platforms)
- Symantec Protection for SharePoint Servers; and so on
The first problem with Symantec’s products is that they were running an executable unpacker — a software program designed to unpack an executable and check it for malicious code — directly within the kernel. Ormandy writes:
Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.
An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant trade-off in terms of increasing attack surface.
This flaw, alone, could be a showstopper, but it’s not the only issue Google found with Symantec products. There are flaws in how Symantec scans PowerPoint streams that can be combined with its default heuristic settings that allow for default code execution as well. Finally, multiple libraries used in Symantec’s entire suite of shipping products were found to be at least seven years out of date, with “dozens of public vulnerabilities.”
Nobody wants to pay for security, including security companies
IT security has a well-earned reputation for being a hard and generally thankless job. Companies and individuals pay lip service to the high-level concept of security, but only a handful of people can claim to understand the topic in comprehensive fashion. It’s easy to understand why so many companies have poor security practices, even if we don’t particularly like the explanation: Actually securing hardware and software is extremely difficult, while claiming to have implemented proper security is very easy.
This slide from a recent Symantec presentation completely omits “Fixed crippling zero-day exploits that completely compromised our product,” for example.
In theory, issues like this can be mitigated by outsourcing security product development to specialized companies, like Symantec. In practice, the same intrinsic difficulties that make proper security difficult within a corporation also make it hard to build specialized security suites — particularly when there’s such enormous tension between marketing, which wants a perpetual cadence of yearly update cycles, flashy new features, glitzy UI elements, and bullet points, and the actual task of developing and maintaining security software.
There’s nothing sexy about a new version of Norton if the back of the box reads “Updated core libraries” or “Decreased attack surface thanks to a comprehensive audit of our own source code.” Far from reassuring customers, this kind of disclosure could be read to imply that previous versions of the company’s products weren’t secure and didn’t provide the benefits they promised. Balancing the need for this sort of comprehensive and ongoing under-the-hood security maintenance with new features and capabilities is extremely difficult.
Symantec appears to have issued fixes for all of the issues Google reported. But the fact that these flaws persisted as long as they did is evidence that proper due diligence simply wasn’t being conducted. In theory, consumers and businesses could punish Symantec for these oversights by contracting with other security vendors. In practice, there’s no guarantee that products from other vendors are well-secured, either — and therefore no clear way to determine just how secure a given security suite actually is.
