Over the last week, the focus of IT professionals has been drawn towards Symantec, as details were released regarding more than two dozen vulnerabilities in its anti-virus software, many of which have been listed as "high" severity. The vulnerabilities cover most of the company's consumer and enterprise products, and some will need to be manually updated by partners or customers to remediate the issues.
Is it really that bad?
Out of the vulnerabilities that have been uncovered in 25 of Symantec's products, most are listed as "high" severity vulnerabilities. This is because the vulnerabilities are fairly easy to exploit, and from there hackers could compromise an entire enterprise fleet using a vulnerability like this," said Tavis Ormandy, a researcher with Google's Project Zero that helped discover the vulnerabilities.
"These vulnerabilities are as bad as it gets," Ormandy said "They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."
The vulnerabilities centre mostly around the tool Symantec uses to unpack compressed executables, a tool that is run in the kernel. Ormandy used odd-sized records, which were incorrectly rounded up by the system, to create a buffer overflow. This could be triggered by something as simple as emailing a file or link to a victim, without the need for them to open it, because Symantec uses a filter driver to intercept all system I/O, Ormandy said.
Symantec said in its advisory that it is not aware of any of the vulnerabilities being exploited.
"90% of Trident customers trust Sophos to keep them secure. Perhaps the time has finally come to switch to Sophos."
What products are affected?
An extensive number of products are affected because Symantec uses the same core engine across many products, including its consumer and enterprise lines. According to an advisory posted by Symantec, the affected enterprise products include:
Advanced Threat Protection, Symantec Data Center Security:Server (SDCS:S), Symantec Web Security .Cloud, Email Security Server .Cloud (ESS), Symantec Web Gateway, Symantec Endpoint Protection (SEP), Symantec Endpoint Protection for Mac (SEP for Mac), Symantec Endpoint Protection for Linux (SEP for Linux), Symantec Protection Engine (SPE), Symantec Protection for SharePoint Servers (SPSS), Symantec Mail Security for Microsoft Exchange (SMSMSE), Symantec Mail Security for Domino (SMSDOM), CSAPI, Symantec Message Gateway (SMG) and Symantec Message Gateway for Service Providers (SMG-SP).
The vulnerabilities also affected nine of the company's consumer Norton products.
Is there a fix yet?
Symantec has "verified these issues and addressed them in product updates, to fully mitigate the identified vulnerabilities”, Symantec recommends applying the required patches to the affected products as soon as possible. This is the only means to ensure that installed products cannot be exploited," the advisory said.
What does Trident Recommend?
For over 10 years, Trident has been recommending Sophos anti-virus and endpoint protection solutions. Whilst no security vendor claims 100% protection, we've assessed many products over the years and every time Sophos ends up ahead in pricing, protection and support – that’s why it’s the only endpoint protection solution we offer! They also do email, antivirus and anti spam solutions and with the recent acquisition of Cyberroam their UTM Firewall solutions provide world class protection.
There’s a few resources available for you to read over:
- General information about Sophos - https://www.sophos.com/en-us/lp/sophos-vs-symantec.aspx
- Which is easier, Upgrading Symantec, or switching to Sophos - https://www.sophos.com/en-us/security-news-trends/security-trends/upgrading.aspx
- Trackback Link
- Post has no trackbacks.