Troubles have once again found Norton Security and Symantec Security software. In late June, Google’s Project Zero found critical vulnerabilities in the sever protection systems. Google stated that: “these vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases, on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption. As Symantec use the same core engine across their entire product line, all Symantec and Norton-branded antivirus products are affected by these vulnerabilities (Omandy, 2016).”
Norton is an affiliated cyber-security firm under the umbrella of Symantec Security. All security services on the market must manage their vulnerabilities. This is where organizations and services like Google’s Project Zero come in. Symantec/Norton hire third party computer coders to seek out vulnerabilities in their security system. They are also supposed to monitor for new releases of third party software, watch for vulnerability announcements and distribute updates on these vulnerabilities. Symantec did not perform any of these required responsibilities. In fact, Symantec has been using code derived from open source libraries but have not updated these codes in the last 7 years.
Some of the vulnerabilities in Symantec’s/Norton’s software include but are not limited to:
- PowerPoint Stream Stack Buffer Overflow
- Bloodhound Heuristics
- Memory Corruption
Google has long had a relationship and been active in the security research community. In order to find vulnerabilities in websites and security software services Google created the Project Zero team. The goal of the team is to find vulnerabilities and report on them in order for the problem to be solved before someone with malicious intent finds these holes. It is important to remember that companies like Symantec and Norton are not delinquent or reneging on their responsibilities. There will always be holes in security services, which is why companies hire third party vulnerability seekers.
In order to find the vulnerabilities Google gathers information on Symantec. Usually information that can be found online, any person with the desire can find this public information. Project Zero will scour blogs, websites, social media or any source that would have useful information. They are looking for clues regarding email addresses and network layout or structure.
After the legal and public information is collected the Project Zero team will scan for open ports on the target. Certain port numbers will alert Project Zero to vulnerabilities. Services listen to ports, if you are able to manipulate the port number than a hacker could use this information to get the port to do anything they wanted.
Google Project Zero will then use their automatic vulnerability scanner in order to be alerted to vulnerabilities faster than manually looking for them. It will usually poke around in the unpatched software and testing the version number of the software. Once the vulnerabilities have been found the team will start testing these vulnerabilities.
Security researchers cannot rely solely on the tools that have already been created if the goal is to find all of the vulnerabilities in the security software. It is at this point where Project Zero team members will manually attempt to “break” into the software. The team members need an extensive knowledge on how software works in order to avoid permanently damaging the client’s software.
Once a vulnerability is found there is a standard course of action Google Project Zero must adhere to. The team must tell the company before informing anybody else. In turn the company asks for a set amount of time to repair the vulnerability before the information is disclosed to the public.
Symantec and Norton have started to begin patching their vulnerabilities in their cloud-based products and the legacy products will be patched shortly. However, it will not take long for criminal hackers to also spot these vulnerabilities and take advantage of them.