Published in News

Symantec’s Windows kernel loading anti-virus is a nightmare

by on19 May 2016


Who would have thunk it?

Symantec hit on a wizard wheeze for creating a more secure version of windows by jacking its security software into the kernel.


But according to Tavis Ormandy of Google's Project Zero team Symantec created a pile of pain for Windows users. But it turned out that the Symantec Antivirus Engine was vulnerable to a buffer overflow when parsing malformed portable-executable (PE) header files.

Symantec warned in its advisory on the issue dubbed CVE-2016-2208 that Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious web site.

"No user interaction is required to trigger the parsing of the malformed file,"

Linux, OS X, and other Unix-like systems, the exploit results in a remote heap overflow as root in the Symantec or Norton process.

However in Windows this results in kernel memory corruption, as the scan engine is loaded into the kernel making this a remote ring0 memory corruption vulnerability -- this is about as bad as it can possibly get, Ormandy said.

Apparently the "most common symptom of a successful attack" would be a system crash and a blue screen of death. Amusingly when Ormandy attempted to inform Symantec of the vulnerability, the email he sent crashed Symantec's mail server. 

Symantec pushed out a fix for its products on Monday, and said products that run LiveUpdate should be patched.

Last modified on 19 May 2016
Rate this item
(5 votes)