Calling a set of recently disclosed vulnerabilities "as bad as it gets," Google security researcher Tavis Ormandy outlined several critical flaws in the security offerings of Symantec, including both their enterprise offerings as well as under Symantec's consumer brand, Norton.
The worst of the flaws lets a user send a hostile payload that, once unpacked by automated processes, runs "software runs at the highest privilege levels possible."
The affected software includes, but is not limited to, the following products:
- Norton Security, Norton 360, and other legacy Norton products (All Platforms)
- Symantec Endpoint Protection (All Versions, All Platforms)
- Symantec Email Security (All Platforms)
- Symantec Protection Engine (All Platforms)
- Symantec Protection for SharePoint Servers
While the flaws have been patched by Norton, some of the software does not automatically patch itself and must be manually secured.
In a statement, Symantec acknowledge the security flaws and stated it had been working with Ormandy to remedy the situation, and that fixes are available now:
Symantec continually improves the protection delivered by our products with regular updates, and we always recommend that customers upgrade to the latest version to get the best protection. To ensure our products are as effective as possible we not only rely on our own experts, but we also listen to independent security researchers like Tavis Ormandy. In this case, Symantec has been working with Tavis, who approached us with a number of vulnerabilities that he had discovered after examining our enterprise and Norton products. Customers can get the latest versions now.