Yes the well-known Symantec: Tavis Ormandy, is a member of Google's Project Zero Team. The researcher has recently discovered vulnerabilities in top security software, and Symantec's time has come.
So, according to the researcher, the vulnerabilities he discovered affect a large number of Symantec products, and can not be repaired through automatic updates.
Ormandy says in a Google blog post: "(vulnerabilities) do not require any user interaction, and can affect the default configuration even of software running at the highest privilege levels. In some cases in Windows, the vulnerable code can also be loaded into the kernel, destroying the kernel memory. ”
The vulnerable code referred to by Ormandy is part of ASPack, the commercial packaging software used by Symantec to pack the software that analyzes files and scans for malware.
Ormandy reports that Symantec's error is that this component runs at the core of the operating system with the highest privileges available. So the vulnerability gives the attacker a gold ticket for complete control of the system.
In addition to this main issue that has been registered as CVE-2016-2208, the researcher also supports that he has found multiple buffer overflows and memory corruption issues.
The researcher also discovered that Symantec had been using open source libraries in its products, such as libmspack and unrarsrc, but forgot to update them for the last seven years. An attacker should only find the right tool available freely on the Internet to breach any system running Symantec products.
Some of these issues are insignificant, according to Ormandy, who states that some others do not require user interaction, and that some of them are wormable. But everything is able to spread to other nearby devices with the infected.
The list of affected products includes: all Norton products, Endpoint Protection, Email Security, Protection Engine, Protection for SharePoint Servers, and more.
In all cases, vulnerabilities are cross-platform. The company, however, allegedly has released patches for all affected products.
In May, Ormandy helped Symantec close another security gap in its product. In addition to Symantec, the same researcher found bugs in the software and other major security companies such as FireEye, ESET, Kaspersky, Bromium, Trend Micro, Comodo, Malwarebytes, Avast, and AVG.