The Homeland Security Department warned of severe security gaps in Symantec and Norton antivirus programs, including those extensively deployed throughout government systems, which could lead to data breaches and ransomware attacks.
"Symantec and Norton branded antivirus products contain multiple vulnerabilities. Some of these products are in widespread use throughout government and industry. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system," DHS officials said in the alert published through the United States Computer Emergency Readiness Team.
The weaknesses, according to the alert, affect 24 security products, including Symantec Endpoint Protection, Symantec Email Security, Norton Security, and Symantec Protection for SharePoint Servers.
Recommended For You
"The large number of products affected, across multiple platforms (OSX, Windows, and Linux), and the severity of these vulnerabilities (remote code execution at root or system privilege) make this a very serious event. A remote, unauthenticated attacker may be able to run arbitrary code at root or system privileges by taking advantage of these vulnerabilities," the DHS alert said.
The alert advised that Symantec antivirus products use common unpackers to extract malware binaries when scanning a system. A heap overflow vulnerability in the ASPack unpacker could allow an unauthenticated remote attacker to gain root privileges on Linux or OSX platforms. A remote trigger could activate a malicious file via email with no user interaction.
DHS also provided a link to a Google researcher's depiction of the situation. "These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," Tavis Ormandy, of Google's Project Zero team, wrote in a company blog post June 28.
Google's Ormandy reported the security flaws to Symantec and helped devise fixes, according to the antivirus company. Symantec has provided patches or hotfixes to these vulnerabilities.
CERT recommended users and system administrators fix their Symantec programs immediately. Some products do not update automatically and require administrators to take manual action on their networks.
Late last year, Congress granted DHS new powers to scan agency networks for intruders using a federal firewall called EINSTEIN. The federal government has awarded Symantec contracts worth $63 million since 2008, according to USASpending.gov.
In February, the threat of ransomware was at the core of an FBI alert, and DHS letter to a Senate committee.
Join us at Credit Union Times' Fraud: Don't Let It Happen To Your Credit Union Conference, where you will find the latest tools and techniques for preventing fraud and data breaches; strategies for responding in the immediate aftermath and best practices for restoring reputation, financial stability and information security. This two-day conference is designed for credit union executives, boards of directors and those responsible for your credit union's cybersecurity policy. Register to attend and save $150.
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more inforrmation visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
