Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Antivirus Products Vulnerable To Horrid Overflow Bug (zdnet.com)

Posted by msmash on from the we-are-doomed dept.

An anonymous reader writes: Tavis Ormandy of Google's Project Zero team has discovered a vulnerability in Symantec Antivirus Engine. The said engine is vulnerable to a buffer overflow when parsing malformed portable-executable (PE) header files, reports ZDNet. "Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious web site," Symantec said. "No user interaction is required to trigger the parsing of the malformed file." For Linux, OS X, and other Unix-like systems, the exploit results in a remote heap overflow as root in the Symantec or Norton process, Ormandy said in the Project Zero issue tracker. "On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability -- this is about as bad as it can possibly get," he said.The vulnerability, if exploited, results in kernel memory corruption without user action and instant blue-screening on Windows.

38 of 79 comments (clear)

  1. That's awesome by easyTree · · Score: 1

    Irony Overflow Exception.at lines one to infinity.

    --
    Requiem for the American Dream
  2. Re: Why does this matter? by Anonymous Coward · · Score: 5, Funny

    Lots of organizations use Symantec. Some Slashdot readers actually have jobs at such organizations and would therefore find this information useful. You don't because you're in your mom's basement with your NetBSD computers.

  3. Re:Why does this matter? by Anonymous Coward · · Score: 1

    We use Symantec Endpoint Protection. We tested over a dozen anti-virus systems, and it was the least worst. It's still pretty bad. I import and test .ova file (Open Virtualization Archive) imports several times a day. With Symantec enabled, it takes about four hours for a 2Gbyte compressed image. With it off, it usually takes less than ten minutes. Unfortunately my boss won't let me get rid of Windows since most of our customers use VirtualBox on Windows.

  4. A thing of beauty by cyriustek · · Score: 3, Interesting

    Tavis Ormandy is bad ass, and is really awesome at finding bugs. Whether it is Microsoft, Symantec, or anything else, he will find a bug if one is there.

    This is a beautiful bug! Having the scan engine loaded into the kernel is sheer lunacy. Yet even more evidence on why AntiVirus is a useless and dangerous program to have running on your system.

    1. Re:A thing of beauty by tlhIngan · · Score: 4, Insightful

      This is a beautiful bug! Having the scan engine loaded into the kernel is sheer lunacy. Yet even more evidence on why AntiVirus is a useless and dangerous program to have running on your system.

      Well, on one hand, it does make some sense. Windows still has the equivalent of a system call table, but it is hookable and the antivirus program will monitor who's hooking the system calls. In addition, it too will hook the system calls to be able to scan files the second they're downloaded as well as be able to block creation of processes using infected files, which helps block infection. It also means many user-space tricks are no longer valid (a user space scanner is vulnerable to malware that can hide itself inside the kernel).

      So it does make some sense to have a part of your scanner inside the kernel itself.

      Of course, the downside is your scanner is now the target of .attack because well, it's a nice juicy place to attack.

    2. Re:A thing of beauty by cant_get_a_good_nick · · Score: 1

      wasn't NT at one point a microkernel? Wouldn't at some point you be able to vector this into user space libraries?

  5. The cure is worse that the disease on linux. by clockley(571021718) · · Score: 1

    Linux users would have been better off without Symantec antivirus or any av for that matter.

    1. Re: The cure is worse that the disease on linux. by clockley(571021718) · · Score: 1

      That/than

  6. so what you're saying is... by dAzED1 · · Score: 1

    Symantec actively makes Linux and UNIX less secure? Because other than the insanity Lennart Poettering gave us, I fail to see what a proper UNIX system would need with a symantec scanner. It's been far too long now for the myth of UNIX being insecure in the same ways (note the wording...) to still persist.

    1. Re: so what you're saying is... by basecastula+ · · Score: 1

      What I have wondered, is how many windows specific pieces of malware work in wine? How many pieces of pirated software, that contain malware, are still abe to reach out to the world when run via wine?

  7. Yes! by c · · Score: 4, Funny

    When Ormandy attempted to inform Symantec of the vulnerability, the email he sent crashed Symantec's mail server.

    Points to Symantec for eating their own dog food, I guess.

    --
    Log in or piss off.
    1. Re:Yes! by powerlord · · Score: 1

      When Ormandy attempted to inform Symantec of the vulnerability, the email he sent crashed Symantec's mail server.

      Points to Symantec for eating their own dog food, I guess.

      Maybe ... but points off for having the Dog Food manufactured in China.

      --
      This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
  8. Re:Why does this matter? by xxxJonBoyxxx · · Score: 1

    >> Wait I am confused when you put neckbeards and symantec in the same sentence

    This. No one buys Symantec unless their company culture consumes enterprise marketing pieces like "Gartner MQs" to figure what to buy.

  9. Re: Why does this matter? by Anonymous Coward · · Score: 1

    He's writing angry letters to the president in emacs under a single light bulb hanging from its own power wire.

  10. I wonder how long it will take... by Mike+Van+Pelt · · Score: 4, Insightful

    This isn't "as bad as it gets" yet. However, "Kernel memory corruption leading to blue screens" is "random stuff got sprayed across the kernel memory". If you can do that, and if you can get a handle on what got sprayed where... then, you have a decent chance of being able to improve that to "Kernel memory corruption leading to remote code execution. In Ring 0."

    And that's as bad as it gets.

  11. Re:Why does this matter? by darkain · · Score: 1

    Actually, sadly, yes, organizations use this shit. I've seen a few Bring Your Own Device networks (such as college campuses) that force you to install whatever "security" bullshit they shove down your throat in order to be allowed to access their network. One such thing I came across was indeed Norton's shitware.

  12. Re:Why does this matter? by Tablizer · · Score: 1

    Does anyone still use Symantec?

    People ticked off by McCrapfee

    --
    Table-ized A.I.
  13. Re:Why does this matter? by Joe_Dragon · · Score: 1

    what happens when the mac or Linux box try to get on?

  14. Re:Why does this matter? by jgtg32a · · Score: 3, Informative

    SEP has RPM and DEB packages

  15. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  16. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  17. Actually, there's a few levels left. by Anonymous Coward · · Score: 1

    Find a similar bug in a SMM (ring -1) handler in your UEFI BIOS... or perhaps in the various subsystems both intel and amd keep on strewing over their offerings that include complete RTOSes running in ring -2 or -3, or in the LOM, maybe on a processor embedded in the southbridge, which might run diddled Chinese firmware complete with diddle-hider, or.... And yes, that southbridge thing sits on a management NIC and gets its input from there before the rest of the system even sees it, so any exploit more or less has to be remote.

    Nope, there's really no end to the depth of the rot. Please note that for most of these at least promising proof-of-concepts already exist, and where not publicly known often strong hints are available that someone must have developed such a thing anyway. And yes, there really are that many OSes running on various parts on a modern computer. Hey, who knows, maybe the microcode can somehow be triggered too.

  18. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  19. Because it runs on AIX and Solaris... by mlts · · Score: 1

    Yes, it is a waste of time, but McAfee and Symantec both have ICSA certified AV solutions which run on Linux, Solaris, HP-UX, and AIX. This is crucial in a lot of environments to make the legal eagles happy, and check that box off that "all computers run a certified AV solution", even if the machines are LPARs or LDOMs.

    Sounds idiotic, but PCI-DSS and other specs can require this, even though the AV software, at best, will be deadweight.

    1. Re:Because it runs on AIX and Solaris... by viperidaenz · · Score: 1

      You mean they require a specific set of certified attack vectors to be installed on every machine?

  20. Re: Why does this matter? by eumoria · · Score: 1

    My company insists on using it. We're small, though, so maybe one day I'll convince them that having it and not having it is basically the same thing except with one you spend a lot of money for no reason.

  21. Re:Why does this matter? by Joe_Dragon · · Score: 1

    does it push them at login? let you hit the repos to get the dependencies?

  22. automated fix already out by synthe · · Score: 2

    Unless you don't update AV definitions, this is a nonissue. The AV definition files dated 5/16/16 rev24 included an updated av engine component that fixes this vulnerability. By the time I heard of this issue, our SEPM server had already downloaded the defs with fixed engine and 3/4 of our enterprise was already up to date.

    1. Re:automated fix already out by gweihir · · Score: 1

      I beg to disagree. This shows that the scanning engines are of low(est) quality and run in places they should not. While this particular bug is now fixed, the underlying problem is very much not so.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:automated fix already out by gweihir · · Score: 1

      You are seriously claiming that a file-scan engine needs to be in the kernel? You are even more stupid that the average AC moron.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  23. Re:Why does this matter? by Gumbercules!! · · Score: 1

    You know what, years back I worked at a place that used Symantec Endpoint Protection - and you're actually correct. Management absolutely loved Gartner. The CTO even had a Gartner Magic Quadrant of innovative companies on his wall. Every IT meeting (which was a monthly 2 hour snooze fest) started with an update from Gartner.

  24. Re:Why does this matter? by Gumbercules!! · · Score: 1

    To be fair, Symantec and Norton are not at all the same thing.

  25. TFA Description Understates Impact by AlphaBro · · Score: 1

    "instant blue-screening"? How about kernel-mode code execution, hence why "this is about as bad as it can possibly get".

  26. Most stupid design possible by gweihir · · Score: 1

    You would think that of all things, scanning engines of AV products would have buffer-overflow protection in place. But apparently, these are the same bad 3rd-rated coders that are responsible for the problem in the first place. And doing this in kernel-space? How insane can you get?

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  27. Re:Of the largest AV manufacturers by gweihir · · Score: 1

    You are kidding yourself. These two may look better at the moment, but they have the same problems. AV has become a massive security risk.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  28. Re:Why does this matter? by KlomDark · · Score: 1

    SEP is a cheap, easy, and staggeringly useful way of safely protecting something from unwanted eyes. It can run almost indefinitely on a torch (flashlight)/9 volt battery, and is able to do so because it utilizes a person's natural tendency to ignore things they don't easily accept, like, for example, aliens at a cricket match. Any object around which an S.E.P. is applied will cease to be noticed, because any problems one may have understanding it (and therefore accepting its existence) become Somebody Else's. An object becomes not so much invisible as unnoticed.

    A perfect example of this would be a ship covered in an SEP field at a cricket match. A starship taking the appearance of a large pink elephant is ideal, because you can see it, but because it is so inconceivable, your mind can't accept it. Therefore it can't exist, thus ignoring it comes naturally.

    A S.E.P. can work in much the same way in dangerous or uninhabitable environments. Any problem which may present itself to a person inside an S.E.P. (such as not being able to breathe, due to a lack of atmosphere) will become Somebody Else's.

    An S.E.P. can be seen if caught by surprise, or out of the corner of one's eye.

  29. Re:Why does this matter? by ncc74656 · · Score: 1

    SEP has RPM and DEB packages

    ...and what would their response be if you showed them something like this on your Linux box?

    salfter@files ~ $ sudo apt-get install symantec-shitware
    -bash: apt-get: command not found

    Do they tell you you're SOL?

    --
    20 January 2017: the End of an Error.
  30. Re:Why does this matter? by Culture20 · · Score: 1

    My guess is they'd actually transfer the .deb or .rpm and use dpkg or rpm to install, not apt or yum. If you use gentoo, they'd emerge apt or rpm, or perhaps in the end tell you you're SOL.