Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Antivirus Products Vulnerable To Horrid Overflow Bug (zdnet.com)

Posted by msmash on from the we-are-doomed dept.

An anonymous reader writes: Tavis Ormandy of Google's Project Zero team has discovered a vulnerability in Symantec Antivirus Engine. The said engine is vulnerable to a buffer overflow when parsing malformed portable-executable (PE) header files, reports ZDNet. "Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious web site," Symantec said. "No user interaction is required to trigger the parsing of the malformed file." For Linux, OS X, and other Unix-like systems, the exploit results in a remote heap overflow as root in the Symantec or Norton process, Ormandy said in the Project Zero issue tracker. "On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability -- this is about as bad as it can possibly get," he said.The vulnerability, if exploited, results in kernel memory corruption without user action and instant blue-screening on Windows.

2 of 79 comments (clear)

  1. I wonder how long it will take... by Mike+Van+Pelt · · Score: 4, Insightful

    This isn't "as bad as it gets" yet. However, "Kernel memory corruption leading to blue screens" is "random stuff got sprayed across the kernel memory". If you can do that, and if you can get a handle on what got sprayed where... then, you have a decent chance of being able to improve that to "Kernel memory corruption leading to remote code execution. In Ring 0."

    And that's as bad as it gets.

  2. Re:A thing of beauty by tlhIngan · · Score: 4, Insightful

    This is a beautiful bug! Having the scan engine loaded into the kernel is sheer lunacy. Yet even more evidence on why AntiVirus is a useless and dangerous program to have running on your system.

    Well, on one hand, it does make some sense. Windows still has the equivalent of a system call table, but it is hookable and the antivirus program will monitor who's hooking the system calls. In addition, it too will hook the system calls to be able to scan files the second they're downloaded as well as be able to block creation of processes using infected files, which helps block infection. It also means many user-space tricks are no longer valid (a user space scanner is vulnerable to malware that can hide itself inside the kernel).

    So it does make some sense to have a part of your scanner inside the kernel itself.

    Of course, the downside is your scanner is now the target of .attack because well, it's a nice juicy place to attack.