Google Calls Symantec Security 'As Bad as It Gets'

Symantec issued product updates after Google Project Zero's Tavis Ormandy discovered vulnerabilities that could "compromise an entire enterprise."

Download the authoritative guide: The Ultimate Guide to IT Security Vendors


White hat hacker Tavis Ormandy tore into Symantec's security solutions June 28 on the Google Project Zero blog, citing major vulnerabilities in its products designed and sold to keep users safe.

"These vulnerabilities are as bad as it gets," wrote Ormandy.

He described scenarios in which users don't even need to be duped into opening infected emails—just receiving them is enough. Yet Symantec isn't protecting against these emails, he said.

"They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," Ormandy wrote. "In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."

Ormandy went into detail about the way Symantec software unpacks information and the company's decision to use a filter driver to intercept input/output information.

"The victim does not need to open the file or interact with it in anyway (sic). Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers," he wrote. "An attacker could easily compromise an entire enterprise fleet using a vulnerability like this."

The brands affected include:

• Norton Security, Norton 360 and legacy Norton products;

• Symantec Endpoint Protection (all versions, all platforms);

• Symantec Email Security (all platforms);

• Symantec Protection Engine (all platforms); and

• Symantec Protection for SharePoint Servers.

Project Zero alerts companies to the problems it finds with their products and gives them 90 days to fix the problems before it takes its findings public.

Ormandy published his Symantec thrashing the same day that Symantec released a security advisory.

Ormandy thanked the Symantec team for resolving the bugs. But his overall message was clear: "Symantec dropped the ball here," he wrote.

The Project Zero scathing arrives as Symantec is in the process of acquiring Web security company Blue Coat for $4.65 billion.

"With this transaction, we will have the scale, portfolio and resources necessary to usher in a new era of innovation designed to help protect large customers and individual consumers against insider threats and sophisticated cyber-criminals," Symantec Chairman Dan Schulman said in a June 12 statement.

In an unusual but telling move, Blue Coat CEO Greg Clark has been named CEO of Symantec upon completion of the purchase.

Clark said in the same statement that he looked forward to "working with the strongest, deepest team in security to realize the many strategic and financial benefits this transaction will create."