Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Critical Symantec Endpoint Protection Vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Critical Symantec Endpoint Protection Vulnerability

Google's "Project Zero" released details about a number of critical vulnerabilities in Symantec's Endpoint Protection prodoct [1]. The vulnerabilities allow for arbitrary code execution on systems with this product installed. Other Symantec products are affected as well , since the vulnerabilities affect the core scanning engine in Symantec Endpoint Protection.

Symantec has released updates, and given the details released by Google you should update as soon as possible. You will need to update the actual Symantec product, which is different from performing a signature update (the signature update happens automatically)


Johannes B. Ullrich, Ph.D.

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS Cyber Defence Japan August 2022


4513 Posts
ISC Handler
Jun 29th 2016
Take this one seriously. Very deadly for those using unpatched Symantec products.
This IS a bad one - patch immediately!

2 Posts
I concur that is the very serious especially given that the files are unpacked in the Windows kernel (who in their right mind unpacks anything in the kernel).

69 Posts
Re: unpacking in kernel

"But we've done it that way for decades! What could possibly go wrong?"

27 Posts
Despite this being an extremely serious vulnerability, I don't see how any enterprise would roll this out immediately.
This is a product that would touch almost each and every endpoint in an organisation. Before rolling out it would have to go through a process of testing to ensure that it does not bring with it any instability or incompatibility that wasnt present in past versions.

I would expect to see at least a 2 month gap before mass rollouts happen.

32 Posts
It is amazing what you can accomplish with a sword hanging over you. The possibility of 10s of thousands of system compromised is quite motivating.
1 Posts
Curious has anyone has confirmed if EMET can mitigate this attack.
It would be interesting to know if AV would benefit from the opt-in protections of EMET.

Typically I think of high risk user apps for ideal targets with EMET (Docs, Browsers, Email, Flash, etc.) and I never considered AV as a candidate, but seems like the attacks(Heap, Pool, ROP) should be right up EMETs ally unless the level of privileges or way the unpacking is done in kernel makes EMET unable to protect the memory?

3 Posts

Sign Up for Free or Log In to start participating in the conversation!