
Symantec/Norton Antivirus Remote Heap/Pool Memory Corruption CVE-2016-2208 - reubenmorais
https://bugs.chromium.org/p/project-zero/issues/detail?id=820
======
technion
It's high time some of these compliance groups got together and had a good
hard look at themselves.

It's been years since desktop signature-based antivirus provided a significant
improvement to security. Every time there's a cryptolocker outbreak, I see
people scrambling to make decisions like "we need to replace McAfee with
Kaspersky", as though they feel that's their answer.

When you try telling an insurance auditor "we have a whitelisting application,
nothing runs unless I've approved it, products like Symantec Endpoint are
unnecessary in that environment", you first get a confused look, then you hear
"ok, so you're DON'T meet the minimum basic security requirements, let me
write that down".

It's gotten to a point that it's actively part of Intel Security's
advertising, with a recent partner promotion pushing to "help your clients
meet their compliancy requirements". The brochure never even mentioned
actually securing anything, just how it ticked various boxes.

~~~
pilif
This is actually a real problem we need public perception changed. If you have
proper white-listing in place then AV does nothing but actually decrease the
security as these AV programs probably need to be white-listed and thus expose
the machines to the kinds of issues as shown here.

Unless the compliance auditors are happy with the software just being
installed and don't check whether it actually runs. That would still be a
colossal waste of money for the licenses but at least it would not compromise
your security.

~~~
wmt
It's a really sad truth that to this date the only effective way to almost
fully stop malware is to take away the ability from people to do what they
want with their computers.

All operating systems that have some way to allow people to run malware, will
get malware. Windows, OSX, GNU, Android all can get infected quite easily.
Then there's iOS where you cannot, and instead Apple decides which software
you can or cannot run.

The downside is of course that you cannot run any software going against the
corporate values of Apple.

If you want the right to shoot yourself in the foot, AV is the necessary evil
you must have, unless of course you're sure you'll never visit a website that
contains an exploit, old or zeroday, against you browser or its components,
and you will never open a office document, PDF or executable that has malware
in it. And even then you can get owned.

~~~
lima
> If you want the right to shoot yourself in the foot, AV is the necessary
> evil you must have

No. AVs are actually pretty useless at stopping anything except the most basic
attacks (and sometimes, not even that - just look at Cryptolocker).

Use Google Chrome (really! Firefox isn't even playing in the same league
security-wise), disable Flash player, only run trusted executables with valid
digital signatures.

~~~
dhimes
_Use Google Chrome (really! Firefox isn 't even playing in the same league
security-wise)_

Can you elaborate just a little on this please?

~~~
pilif
Firefox still doesn't use process separation between page rendering and the
browser chrome. The thing that renders the pages on Chrome is a subprocess per
tab (at considerable memory cost) which is also running in a sandbox.

In Firefox all tabs run in the same process and thus inherently can't be
sandboxed (because it needs to write to the disk cache and save files the user
downloads)

~~~
the8472
Dev Edition has process separation and content process sandboxing.

~~~
lima
Now we only have to wait 5 years until they found all the obvious sandbox
escape bugs.

------
CiPHPerCoder
If you've been following Tavis Ormandy's work, you already know this:

    
    
        Anti-Virus software is a trash-fire.
    

You can't buy security, but you _can_ learn it:
[http://decentsecurity.com/#/introduction/](http://decentsecurity.com/#/introduction/)

I've long argued that the only sustainable security strategy is _education_.

If you're a developer/engineer/consultant/rockstar/ninja/etc. and never
bothered to learn how to write secure software, start here:
[https://paragonie.com/blog/2015/08/gentle-introduction-
appli...](https://paragonie.com/blog/2015/08/gentle-introduction-application-
security)

~~~
hndl
>> "You can't buy security, but you can learn it:
[http://decentsecurity.com/#/introduction/"](http://decentsecurity.com/#/introduction/")

I think that's an incorrect standpoint to take when you factor in how
technologically agnostic most folks are. I would better think of it as
"security is default, but you can disable it if you really, really want it
that way."

~~~
CiPHPerCoder
Security isn't the default, though. Specific example: SMTP.

------
epmatsw
Oh my god mailing the report to them crashed their mail server. You can't make
this stuff up.

~~~
molyss
I didn't understand that part at first, but it is hilarious.

They apparently use their own product on their email server, which unpacked
the POC by guessing the password of the archive, scanned the uncompressed file
and triggered the bug that was being reported. Love it !

------
saturncoleus
Can't help but wonder if attackers already knew this. There seems to be quite
a few bugs found by taviso in antivirus code in the past few months, which has
got to either attract attackers to look more closely at it or possibly break
their existing exploits. Either way, it's frightening!

Increasingly, my non-computer savvy family members ask me what kind of anti
virus they should use. I used to pick one to tell them since I know they
aren't as cautious as I am, but I am not sure I have a good answer for them
any more. Has AV software reached the point that a lay user is more vulnerable
with it than without it?

~~~
pfg
My current recommendation when I get asked that question is not to bother with
any third-party AV and just use Windows 10 with Windows Defender (unless
they're on OS X anyway). When I'm asked to set things up, I switch their
default browser to Chrome (or Firefox for those who "don't like Google"), add
uBlock Origin and use Click-To-Play for plugins (which, surprisingly, isn't
much of an inconvenience once you block ads anyway). If someone asks for extra
protection, I add OpenDNS Umbrella to the setup ($20/year for 3 devices),
which is a nice additional layer of defense. Chromebooks are also a great
option if someone's not doing much other than email, web browsing and such.

My other recommendation is to use a tablet for things like online banking.
(Yes, even an outdated Android tablet is probably less likely to catch malware
that will steal your money than an average computer.)

~~~
progers7
This is the first time I have heard of OpenDNS Umbrella. I just gave it a try
(they have a free trial) and it's really nice--after some simple configuration
you pretty much just set your router's DNS to OpenDNS and then your DNS
requests are both monitored and lightly protected.

The product is geared towards medium-to-large networks so it's a little hard
to find the prosumer $20/yr plan. Here's a link if anyone else is interested:
[https://www.opendns.com/enterprise-security/threat-
enforceme...](https://www.opendns.com/enterprise-security/threat-
enforcement/package-comparison/small-teams/)

------
rdtsc
> On Linux, Mac and other UNIX platforms, this results in a remote heap
> overflow as root in the Symantec or Norton process.

Is this a real thing? Hands up, who runs Norton on Linux? Is it because it is
used as a central back-end / service to check attachments. But then why does
it run as root?

~~~
mcpherrinm
At least in the card processing space, one of the PCI requirements is "5.1
Deploy anti-virus software on all systems commonly affected by malicious
software (particularly personal computers and servers)."

The phrase "commonly affected" is the place to make an argument here, but I'm
sure people take the easy option of just running an antivirus.

~~~
nihonde
Right, and that requirement loses all of its nuance when it lands on someone's
checklist as "anti-virus software on PCs and servers".

When my company gets asked why we answer "no" to that question, my canned
response is "because anti-virus software would almost certainly be the most
exploitable vector on our systems".

~~~
technion
Not all auditors will accept that answer. Mine sure don't.

~~~
nihonde
In that case, the answer is "yes" and the definition of "industry-standard
virus scanning software" becomes flexible enough to include a firewall?

------
beernutz
Ok, this is some dark humor:

It looks like the researcher sent a proof of concept zip file to symantec
which was pw protected with a common password. Symantec's system then tried
the common password, extracted the zip, scanned the POC code inside, which
crashed their own system.

From the report: Project Member Comment 1 by taviso@google.com, Yesterday (42
hours ago)

I think Symantec's mail server guessed the password "infected" and crashed
(this password is commonly used among antivirus vendors to exchange samples),
because they asked if they had missed a report I sent.

They had missed the report, so I sent it again with a randomly generated
password.

------
hwhatwhatwhat
_> This is a remote code execution vulnerability._

I understand how this vulnerability can be used to corrupt the heap, as it's
writing more data than malloc was asked to reserve, so it can overwrite memory
allocations from other parts of the program.

I am curious as to how would one create a reliable remote code execution
exploit out of this? I guess that one may be able to find a function pointer
somewhere to overwrite, and use that to control program flow to your shellcode
- but as this is dynamically allocated memory, could it not be adjacent to
pretty much anything?

How would an attacker approach making a remote code execution exploit, given
these constraints? Is it possible in practice or more theoretical?

(I'm not challenging this classification, just would really like to know how
this works!)

------
drewg123
"scan engine is loaded into the kernel (wtf!!!)"

That rings a bell -- I remember back in the early/mid 2000s, when the AV
vendors started to port their products to Mac OS X. The darwin (OSX)
kernel/driver mailing lists seemed to get a lot of questions from AV devs,
asking how to do things in the kernel that really, really, really should not
be in the kernel. It was at that point I resolve to never run any AV software.

------
yread
Well, at least they handled it fairly quickly - it was submitted on May 6th
and according to
[https://www.symantec.com/security_response/securityupdates/d...](https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160516_00)
a patch was deployed and should be automatically downloaded. I'm running
Symantec and LiveUpdate did download some stuff but nowhere it says whether
version 20151.1.1.4 is already there or not. Ah well

------
JustSomeNobody
Operating systems need to offer better protection. I am tired of buying the OS
then having to go buy the equivalent of anti-lock breaks, air bags and seat
belts from a third party.

This is just a stupid, lazy way of doing business.

~~~
hwhatwhatwhat
What specific protections do you have in mind?

