Multiple Parsing Vulnerabilities on Symantec Decomposer Engine: millions of users at risk!
A lot of enterprise and home Symantec users are open to remote code execution vulnerabilities reported by Google’s Project Zero.
These vulnerabilities don’t require any user interaction on a software that runs at the highest privilege levels possible: in certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.
Who is affected?
Symantec use the same core engine across their entire product line, so all Symantec and Norton branded antivirus products are affected by these vulnerabilities, including:
- Norton Security, Norton 360, and other legacy Norton products (All Platforms)
- Symantec Endpoint Protection (All Versions, All Platforms)
- Symantec Email Security (All Platforms)
- Symantec Protection Engine (All Platforms)
- Symantec Protection for SharePoint Servers
The complete list of affected products is available on Symantec Website:
How it works?
Many developers will be familiar with executable packers like UPX, they’re tools intended to reduce the size of executables by compressing them. This causes a problem for antivirus products because it changes how executables look.
Antivirus vendors solve this problem with two solutions.
First, they write dedicated unpackers to reverse the operation of the most common packers, and then use emulation to handle less common and custom packers.
The problem with both of these solutions is that they’re hugely complicated and prone to vulnerabilities; it’s extremely challenging to make code like this safe. We recommend sandboxing and a Security Development Lifecycle, but vendors will often cut corners here.
Let’s look at an example from Symantec and Norton Antivirus. This vulnerability has an unusual characteristic: Symantec runs their unpackers in the Kernel!
More technical information on Project Zero Website:
Some other resources from tech blogs
Hurry up! It’s update time!