While testing its Windows security software, Blink, with Symantec Antivirus, eEye Digital Security techs discovered:

A remotely exploitable vulnerability exists within the Symantec Antivirus program. This flaw does not require any end user interaction for exploitation and can compromise affected systems, allowing for the execution of malicious code with SYSTEM level access.

Further tests revealed that Symantec Antivirus 10.x and Symantec Client Security 3.x are vulnerable, but the current security suite is not. Other Symantec products have not been checked.

Symantec Stock Fortunes Match A/V Performance?
[Price history - SYMC (5/26/2005 - 5/25/2006); MSN Money.]
eEye techs rate the severity of the flaw as High, due to the way it enables a remote attacker to penetrate and execute code on a vulnerable system.

This is not the first time Symantec’s anti-virus products have rendered systems more vulnerable to attack, rather than less. Since January 2006 alone, the National Vulnerability Database has logged several stumbles:

  • Symantec Gateway Security: The HTTP proxy in Symantec Gateway Security 5000 Series 2.0.1 and 3.0, and Enterprise Firewall 8.0, when NAT is being used, allows remote attackers to determine internal IP addresses by using certain HTTP requests. [CVE-2006-2341]
  • Symantec Scan Engine: Symantec Scan Engine 5.0.0.24, and possibly other versions before 5.1.0.7, stores sensitive log and virus definition files under the web root with insufficient access control, which allows remote attackers to obtain the information via direct requests. [CVE-2006-0232]
    In addition, it uses the same private DSA key for each installation, which allows remote attackers to conduct man-in-the-middle attacks and decrypt communications. [CVE-2006-0231]
    As if that’s not bad enough, this version of Symantec Scan Engine uses a client-side check to verify a password, which allows remote attackers to gain administrator privileges via a modified client that sends certain XML requests. [CVE-2006-0230]
  • Symantec LiveUpdate for Macintosh: Untrusted search path vulnerability in unspecified components in Symantec LiveUpdate for Macintosh 3.0.0 through 3.5.0 do not set the execution path, which allows local users to gain privileges via a Trojan horse program. [CVE-2006-1836]
  • Symantec Norton SystemWorks and Norton SystemWorks Premier: Symantec Norton SystemWorks and SystemWorks Premier 2005 and 2006 stores temporary copies of files in the Norton Protected Recycle Bin NProtect directory, which is hidden from the FindFirst and FindNext Windows APIs and allows remote attackers to hide arbitrary files from virus scanners and other products. [CVE-2006-0166]
    This was the much heralded rootkit-like cloaking that, once the spotlight hit, Symantec quickly discontinued.

All in all, eEye’s Head Hacker, Marc Maiffret, apparently isn’t too impressed with Symantec’s programming.As he told Dark Reading’s Mike Fratto, “Finding exploitable bugs in security software is bad enough, but finding generic problems like stack-based buffer overflow indicates systemic issues. Using secure development practices is costly for small developers, but a billion-dollar company like Symantec can afford it.”Meanwhile, Microsoft and Intel are rapidly building a suite of products and services that will erode user enthusiasm for third-party antivirus solutions. At the same time, more network managers and ISPs are looking to funnel all WAN traffic through antivirus-armoured network gateways.

Will Symantec find its footing in this rapidly deteriorating environment? So far, it looks like a substantial portion of the stock market is betting against them, as the company’s stock price has dropped a third since May 2005. (McAfee’s performance isn’t setting the world on fire, either.)

fyi: At this writing, Zacks average brokerage recommendation for both Symantec and McAfee is Hold.

Email Battles Backgrounder: