Yes, the well-known Symantec: Tavis Ormandy, is a member of Google's Project Zero team. The researcher the last space has discovered vulnerabilities in the software of leading security companies, and it seems Symantec's time has come.
So, according to the researcher, the vulnerabilities he discovered affect a large number of Symantec products, and can not be repaired through automatic updates.
Ormandy says in a Google blog post: "(vulnerabilities) do not require any user interaction, and can affect the default configuration even of software running at the highest privilege levels. In some cases in Windows, the vulnerable code can also be loaded into the kernel, destroying the kernel memory. ”
The vulnerable code referred to by Ormandy is part of ASPack, the commercial packaging software used by Symantec to pack the software that analyzes files and scans for malware.
Ormandy says that Symantec's mistake is that this component runs in the kernel of the operating system, with the highest privileges available. So the vulnerability it gives the attacker a golden ticket to full control of the system.
In addition to this main issue listed as CVE-2016-2208, the researcher also claims to have found multiple buffer overflows and themememory corruption.
The researcher also discovered that Symantec had been using open source libraries in its products, such as libmspack and unrarsrc, but forgot to update them for the last seven years. An attacker should only find the right tool available freely on the Internet to breach any system running Symantec products.
Some of these topics are asignaldah, according to Ormandy, who mentions that some others don't require user interaction, and that some of them are wormable. But all of them are able to spread to other nearby devices with the infected one.
The list of affected products includes: all Norton products, Endpoint Protection, Email Security, Protection Engine, Protection for SharePoint Servers, and more.
In all cases, vulnerabilities are cross-platform. The company, however, allegedly has released patches for all affected products.
In May, Ormandy helped Symantec close another security flaw in its product. In addition to Symantec, the same researcher found bugs in the software of other major security companies, such as FireEye, ESET, Kaspersky, Bromium, Trend Micro, Comodo, Malwarebytes, Avast, and AVG.
