I think most security researchers have this love/hate relationship with Tavis Ormandy. We typically love his work, but we hate it when he finds a particularly juicy bug. This hate is compounded when the bug is easy to exploit and you have that feeling of “if I had only looked there first….” The life of a security researcher is like this.
So it is no surprise that on June 28, 2016 a vulnerability in Symantec’s Antivirus Decomposer engine, used in Symantec Endpoint Protection and other Symantec and Norton security products, was acknowledged by Symantec Corporation in a security advisory issued by the company, and we all loved and hated Tavis all over again.
The Main Vulnerability
As a member of the Project Zero team at Google, Tavis released an advisory that details memory corruption when using crafted malicious files to trigger a flaw in the Symantec Antivirus Decomposer engine, an engine used in pretty much the entire Symantec and Norton security product line including their flagship product Symantec Endpoint Protection.
A common technique for malicious code authors is to use “packers” to compress the size of their malicious code. This technique of using packers is in itself not malicious, as many code developers are familiar with and use the technique, but what this means is an antivirus product has to automatically unpack the packed code so that it can be examined for maliciousness. By altering some basic size parameters in the packed code’s headers, size discrepancies cause memory allocation errors in this Antivirus Decomposer engine and bingo! Code execution of the attacker’s choice by supplying a chunk of code that will trigger this flaw.
One would assume that a product running on a system would need elevated privileges in order to handle antivirus tasks. That means the code that the attacker is executing gives them root privileges on Linux, Mac and other Unix variants running affected Symantec products, and not just administrative access, but kernel-level code execution on Windows. To quote Tavis on this one, this is as bad as it gets.
Assigned CVE-2016-2208, this vulnerability is easy to trigger. Just send a malicious file to a victim. Or send them a link that points to the file. This can be in email, IM, whatever - as long as Symantec’s thorough engine that checks files for maliciousness can touch it for examination, it can be triggered.
If the Symantec product is the desktop, just receiving the file in email is enough - it doesn’t have to be opened, the antivirus product does that for you to check it. If the Symantec product runs on the email server, then the attacker just ran code of his choosing on your email server with administrative privileges. You get the idea.
What Do You Do
Symantec has made patches available for the affected products in their security advisory. It is highly recommended that you check this security advisory to ensure you follow the correct steps to patch any affected products you are using.
In some (but not all) cases, a normal update to the antivirus “defined definitions” will deliver the needed patch, but some organizations may want to force a manual update of the defined definitions as quickly as possible to ensure systems are immediately patched. It is also possible that multiple affected products with different patching options may be deployed within a single organization, so again, check the advisory.
One Additional Note
This was the main vulnerability discussed in the security bulletin and in Tavis’ blog post. There are a number of other flaws, but really, this one is bad enough. It should also be noted that the blog post includes links to even more details including example exploit code, so patch away.
In summary, Tavis Ormandy is a Jedi who apparently waves his hand at software and bugs fall out at his feet. We hate him. We also love him. Good job Tavis, you are making the world safer, one enterprise deployment at a time.