Yes, the well-known Symantec: Tavis Ormandy, is a member teamof Google's Project Zero. The researcher has recently discovered vulnerabilities in the software of leading security companies and it seems that Symantec's time has come.
So, according to the researcher, the vulnerabilities he discovered affect a large number of Symantec products, and can not be repaired through automatic updates.
Ormandy says in a Google blog post: "(vulnerabilities) do not require any user interaction, and can affect the default configuration even of software running at the highest privilege levels. In some cases in Windows, the vulnerable code can also be loaded into the kernel, destroying the kernel memory. ”
The vulnerable code referred to by Ormandy is part of ASPack, the commercial packaging software used by Symantec to pack the software that analyzes files and scans for malware.
Ormandy reports that Symantec's error is that this component runs at the core of the operating system with the highest privileges available. So the vulnerability gives the attacker a gold ticket for complete control of the system.
In addition to this major issue listed as CVE-2016-2208, the researcher also claims to have found multiple buffer overflows and issues memory corruption.
The researcher also discovered that Symantec had been using open source libraries in its products, such as libmspack and unrarsrc, but had forgotten to update them for the past seven years. An attacker would only have to find the right one tool which is freely available on the Internet, to compromise any system running Symantec products.
Some of these issues are insignificant, according to Ormandy, who states that some others do not require user interaction, and that some of them are wormable. But everything is able to spread to other nearby devices with the infected.
The list of affected products includes: all Norton products, Endpoint Protection, Email Security, Protection Engine, Protection for SharePoint Servers, and more.
In all cases, vulnerabilities are cross-platform. The company, however, allegedly has released patches for all affected products.
In May, Ormandy helped Symantec close another one security gap in its product. In addition to Symantec, the same researcher found bugs in the software of other major security companies, including FireEye, ESET, Kaspersky, Bromium, Trend Micro, Comodo, Malwarebytes, Avast, and AVG.