Tavis Ormandy is arguably Google's most famous security researcher and he works as part of Google's Project Zero. Project Zero is the part of Google tasked with improving overall computer security across the world by assessing other businesses' software and servers. Essentially, Project Zero plays the role not too dissimilar from poacher-turned-gamekeeper. The team of security researchers spend time looking for weaknesses so that they can let the target company know before a hacker finds these weaknesses and exploits them. Project Zero typically lets the target company know of the weakness with a deadline before it goes public, but this follows some discussion and negotiation with the target company. Today, Tavis posted a blog regarding the security holes found in some of Symantec's software.
Symantec is one of the leading enterprise security vendors, offering a number of different products based around the same core engine across much of the world, including the consumer-facing Norton brand. The products affected by these vulnerabilities included Norton Security, Norton 360, Symantec Endpoint Protection, Symantec Email Security, and Symantec Protection Engine, plus others. In Tavis' words, these discovered critical vulnerabilities "are as bad as it gets." The Symantec core engine runs at the highest privilege levels permissible on the host system and on some Windows platforms, put vulnerable code into the kernel – such as unpackers. An executable unpacker is designed to reduce the size of an executable by compressing it, but this can cause issues with antivirus products because it changes the makeup of the executable. The workaround used by antivirus applications is to use a combination of their own unpackers and software emulation so as to take a look inside the executable file. Google recommends a sandboxing process here but notes that many vendors (Comodo, ESET, Kaspersky, Fireeye are named) will use a workaround to cut the corner, thus giving the system a vulnerability.
In the case of Symantec, Tavis discovered that it was possible to persuade Symantec to run an executable by exploiting an out of memory bug. The Google Project Zero researcher noted that simply sending an infected email could be enough to cause problems without the user opening the email, as the Symantec code inspects the contents before it is accessed. Tavis also discovered a glitch when parsing Microsoft PowerPoint files and using the "Bloodhound Heuristics" part of the application at the program default setting, where it also proved possible to exploit this vulnerability – and run applications as SYSTEM for Windows boxes and with root access on other platforms.
Tavis' other comments concerned how Symantec hadn't updated code derived from open source for at least seven years. This is not good news for a business with a keen eye on its enterprise market. Symantec confirmed that it had fallen behind on newer releases. However, there is good news: after letting Symantec know of these critical vulnerabilities, Tavis thanked them for their help in resolving these bugs quickly. Symantec have also promised to add additional steps in its security testing process to prevent similar vulnerabilities from existing going forwards.