Google Found Disastrous Symantec and Norton Vulnerabilities That Are 'As Bad As It Gets'

Google's Project Zero team has discovered a heap of critical vulnerabilities in Symantec and Norton security products. The flaws, the team says, allow hackers to completely compromise people's machines by simply sending them malicious self-replicating code through unopened emails or un-clicked links. According to a Fortune report, the vulnerabilities affect millions of people who run the company's endpoint security and antivirus software -- all 17 enterprise products (Symantec brand) and eight consumer and small business products (Norton brand). Dan Goodin, reporting for Ars Technica:The flaws reside in the engine the products use to reverse the compression tools malware developers use to conceal their malicious payloads. The unpackers work by parsing code contained in files before they're allowed to be downloaded or executed. Because Symantec runs the unpackers directly in the operating system kernel, errors can allow attackers to gain complete control over the vulnerable machine. Tavis Ormandy, a researcher with Google's Project Zero, said a better design would be for unpackers to run in a security "sandbox," which isolates untrusted code from sensitive parts of an operating system.

How to catch fopen() without hooking kernel?

[tepples]

Without adding file system hooks to the kernel, how should a real-time antivirus tool trap attempts to read potentially infected files?

Sometimes I think the PC Matic guys are right: a whitelist is a more reliable way to block malware. But a whitelist requires more diligence to maintain if you don't want to turn a PC into a game console, and diligence is something sorely lacking in the non-technical majority.

Re:WHO THE HELL SUBMITTED THIS?

[Thud457]

details straight from Project Zero

TIL that blogger was bought by Google in 2003...

Microsoft tried to prevent this

[ryanmc1]

I remember when Windows Vista came out Microsoft tried to lock down the kernel, but got sued by the above mentioned security vendors. This is what happens when you put your trust in third party vendors.

http://www.dailytech.com/Micro...

Security vendors prevent Microsoft locking kernel?

[khz6955]

ryanmc1: "I remember when Windows Vista came out Microsoft tried to lock down the kernel, but got sued by the above mentioned security vendors. This is what happens when you put your trust in third party vendors." link

'The whole "PatchGuard" concept shows how broken Microsoft's approach to an OS has become. The whole concept is to catch changes made by programs which already have full access to kernel space. By checking every five or ten minutes for a change, no less. That's inherently a futile exercise. It may break some current exploits, but it won't break new ones. Any program that has access to kernel space can take over the machine. It could load a whole new OS if it wanted to.' link

Re:yet more poor design.

[SharpFang]

The 'real kernel' still needs to pass it down into the VM from physical media for processing. And the VM would need to be supervised by the host, not just launched and forgotten - the sandboxing won't help much if the virus hijacks the sandbox, and makes it pass everything through as 'clean' regardless of the content - the host needs to constantly monitor integrity of the checking process.

There are 'jailbreak' attacks that allow escaping VM sandbox and infecting the host, but they are difficult and rare.

Re:The Best AntiVirus Ever

[flappinbooger]

You're wrong on #2.

Porn sites do NOT spread malware. Maybe at one time they did, but not any more.

I have an anecdote to prove my point (this is the internet, after all)

A guy brings in his computer it has a virus. He's sure the kid has been doing "naughty" things on it and got it infected. Digital AIDS as it were.

I fixed the virus and did an "audit" of the PC's surfing history and searches and so on, giving me a timeline up to the point where it got infected.

The kid was indeed surfing porn. I asked the guy when he and momma went to bed. "10:00" he said. I told him I could tell. Little Johnny was surfing for "hot milfs", "Zoo porn" and other horrible things starting at 10:30. But the virus didn't get downloaded then.

The virus got downloaded at 7:30 in the morning when the adult got on the PC and did a google search for "TV Repair in [local town name]" and followed whatever link was there that took him to a fake antivirus driveby download.

In other words, Bestiality? Safe. TV Repair? Not safe.

I have other examples too, such as malicious ads on PBS kids and Drudge report and so on.