Symantec has patched a remote code execution vulnerability that affects the Antivirus Engine (AVE) used in most of its products.
On Monday, security researcher Tavis Ormandy published a blog post in which he provides some details on CVE-2016-2208, anASPack remote heap/pool memory corruption vulnerability.
Specifically, he observes that a buffer overflow can occur in the AVE found in all platforms of Symantec Endpoint Antivirus, Norton Antivirus, Symantec Scan Engine, and Symantec Email Security when parsing executable files packed by an early version of the ASPack file compressor.
His proof-of-concept (POC) code reveals that the vulnerability is easy to exploit. A remote attacker need only send a victim a file or trick them into clicking on a link.
No other user interaction is needed to trigger the flaw.
"On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability - this is about as bad as it can possibly get," Ormandy explained in his post.
Ormandy reported the vulnerability and a series of other flaws to Symantec on April 28th. The maker of Norton Antivirus responded by publishing its own advisory on Monday.
In it, Symantec announces that it has patched CVE-2016-2208:
"Norton and Symantec Enterprise products that ship with the AV Engine and regularly launch and run LiveUpdate should already have received an updated version installing updates for this issue."
The other flaws discovered by Ormandy have yet to receive a patch, however. As explained by Eduard Kovacs of SecurityWeek, those particular issues cannot be fixed by Live Update. Instead they require maintenance patches, which will take a longer amount of time to roll out.
To protect against the exploitation of those and other vulnerabilities, Symantec recommends that organizations restrict access to privileged users, implement vendor patches as soon as they become available, and follow a multi-layered security approach.