Google finds critical flaws in popular Symantec, Norton antivirus software
Google Project Zero finds Symantec failed to update vulnerable open source code for up to 7 years
Your antivirus software may be making your computer more vulnerable to hackers instead of protecting it — and you should update it right now.
Multiple "critical" vulnerabilities have been found in all antivirus software made by Symantec, including Norton brand products, Google's Project Zero blog reported this week.
"These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," wrote Tavis Ormandy, a member of the Google team that hunts for undiscovered security flaws in the world's software.
Symantec dropped the ball here.- Tavis Ormandy, Google Project Zero
Many are "wormable" vulnerabilities that can be used to make attacks remotely without the user doing anything: "Just emailing a file to a victim or sending them a link to an exploit is enough to trigger it — the victim does not need to open the file or interact with it in any way."
Symantec issued a security advisory saying it has "verified the issues and addressed them in product updates."
Some products don't update automatically
Some of the antivirus products will automatically update, but others won't, meaning that network administrators and customers may have to take action to stop the vulnerabilities from being exploited, now that they've been made public.
"Symantec continually improves the protection delivered by our products with regular updates, and we always recommend that customers upgrade to the latest version to get the best protection.," Symantec said in a statement emailed to CBC News. "Customers can get the latest versions now.… For more information, customers may contact their product support agents."
The company isn't aware of any of the vulnerabilities being exploited by hackers, it said in its security advisory.
However, Ormandy noted that Symantec was using old versions of open source code, some containing "dozens" of public vulnerabilities, some of which were known to have been exploited by hackers.
"Symantec dropped the ball here," he wrote, noting that some of the code hadn't been updated by Symantec "in at least seven years."
The company says it has added "additional checks to our Secure Development LifeCycle to mitigate similar issues in future."
Symantec products are some of the most popular antivirus packages on the market, including Norton Security, Norton 360 and Symantec Endpoint Protection. Symantec says that in 2015, it was the world's largest endpoint security vendor, protecting 175 million devices on corporate networks.
San Francisco-based OPSWAT, which makes security and IT management software, estimates that Symantec has 7.1 per cent of the antivirus market, after Avast, Microsoft, AVG and Avira.