My next class:

Critical Symantec Endpoint Protection Vulnerability

Published: 2016-06-29. Last Updated: 2016-06-29 19:26:52 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

Google's "Project Zero" released details about a number of critical vulnerabilities in Symantec's Endpoint Protection prodoct [1]. The vulnerabilities allow for arbitrary code execution on systems with this product installed. Other Symantec products are affected as well , since the vulnerabilities affect the core scanning engine in Symantec Endpoint Protection.

Symantec has released updates, and given the details released by Google you should update as soon as possible. You will need to update the actual Symantec product, which is different from performing a signature update (the signature update happens automatically)

[1] http://googleprojectzero.blogspot.ca/2016/06/how-to-compromise-enterprise-endpoint.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
7 comment(s)
My next class:

Comments

Take this one seriously. Very deadly for those using unpatched Symantec products.
This IS a bad one - patch immediately!
I concur that is the very serious especially given that the files are unpacked in the Windows kernel (who in their right mind unpacks anything in the kernel).
Re: unpacking in kernel

"But we've done it that way for decades! What could possibly go wrong?"
Despite this being an extremely serious vulnerability, I don't see how any enterprise would roll this out immediately.
This is a product that would touch almost each and every endpoint in an organisation. Before rolling out it would have to go through a process of testing to ensure that it does not bring with it any instability or incompatibility that wasnt present in past versions.

I would expect to see at least a 2 month gap before mass rollouts happen.
It is amazing what you can accomplish with a sword hanging over you. The possibility of 10s of thousands of system compromised is quite motivating.
Curious has anyone has confirmed if EMET can mitigate this attack.
It would be interesting to know if AV would benefit from the opt-in protections of EMET.

Typically I think of high risk user apps for ideal targets with EMET (Docs, Browsers, Email, Flash, etc.) and I never considered AV as a candidate, but seems like the attacks(Heap, Pool, ROP) should be right up EMETs ally unless the level of privileges or way the unpacking is done in kernel makes EMET unable to protect the memory?

Diary Archives