Yes the well-known Symantec: Tavis Ormandy, is a member of Google's Project Zero Team. The researcher has recently discovered vulnerabilities in top security software, and Symantec's time has come.
So, according to the researcher, the vulnerabilities he discovered affect a large number of Symantec products, and can not be repaired through automatic updates.
Ormandy says on Google's blog: “(The vulnerabilities) do not require any user interaction, and can affect the default configuration of even software running with the highest privilege levels. In some cases on Windows, the vulnerable codes can also be loaded into the kernel, resulting in kernel memory corruption.”
The vulnerable code referred to by Ormandy is part of ASPack, the commercial packaging software used by Symantec to pack the software that analyzes files and scans for malware.
Ormandy reports that Symantec's error is that this component runs at the core of the operating system with the highest privileges available. So the vulnerability gives the attacker a gold ticket for complete control of the system.
In addition to this main issue that has been registered as CVE-2016-2208, the researcher also supports that he has found multiple buffer overflows and memory corruption issues.
The researcher also discovered that Symantec had been using open source libraries in its products, such as libmspack and unrarsrc, but forgot to update them for the last seven years. An attacker should only find the right tool available freely on the Internet to breach any system running Symantec products.
Some of these issues are insignificant, according to Ormandy, who states that some others do not require user interaction, and that some of them are wormable. But everything is able to spread to other nearby devices with the infected.
The list of affected products includes: all Norton product, Endpoint Protection, Email Security, Protection Engine, Protection for SharePoint Servers and more.
In all cases, the vulnerable points are cross-platform. The company, however, is said to have released patches for all affected products.
In May, Ormandy helped Symantec close another security gap in its product. In addition to Symantec, the same researcher found bugs in the software and other major security companies such as FireEye, ESET, Kaspersky, Bromium, Trend Micro, Comodo, Malwarebytes, Avast, and AVG.
