This site may earn chapter commissions from the links on this page. Terms of use.

Data security

Google's Project Zero research team has been dedicated to finding zero-mean solar day exploits and vulnerabilities for virtually 2 years at present. While it formed in response to the Heartbleed vulnerability, it searches for issues in both Google's own products and those of other companies — and the flaws it has uncovered in security software from Symantec are, in the words of Google researcher Tavis Ormandy, "as bad equally things become."

Symantec uses a common engine for its enterprise and dwelling house security products, according to Ormandy. The list of critically compromised products includes:

  • Norton Security, Norton 360, and other legacy Norton products (All Platforms)
  • Symantec Endpoint Protection (All Versions, All Platforms)
  • Symantec E-mail Security (All Platforms)
  • Symantec Protection Engine (All Platforms)
  • Symantec Protection for SharePoint Servers; and then on

The first problem with Symantec'southward products is that they were running an executable unpacker — a software program designed to unpack an executable and cheque it for malicious lawmaking — directly within the kernel. Ormandy writes:

Considering Symantec uses a filter driver to intercept all system I/O, only emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not demand to open the file or interact with information technology in anyway. Considering no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.

An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in listen when deciding to deploy Antivirus, it's a meaning trade-off in terms of increasing set on surface.

This flaw, lonely, could exist a showstopper, but it's not the only result Google plant with Symantec products. In that location are flaws in how Symantec scans PowerPoint streams that tin be combined with its default heuristic settings that permit for default lawmaking execution besides. Finally, multiple libraries used in Symantec's entire suite of shipping products were institute to exist at to the lowest degree seven years out of date, with "dozens of public vulnerabilities."

Nobody wants to pay for security, including security companies

Information technology security has a well-earned reputation for existence a hard and generally thankless job. Companies and individuals pay lip service to the loftier-level concept of security, but but a handful of people can claim to understand the topic in comprehensive fashion. It's easy to sympathize why so many companies have poor security practices, even if nosotros don't particularly similar the explanation: Actually securing hardware and software is extremely difficult, while challenge to take implemented proper security is very easy.

Symantec1

This slide from a recent Symantec presentation completely omits "Stock-still crippling cipher-24-hour interval exploits that completely compromised our product," for instance.

In theory, issues similar this tin exist mitigated by outsourcing security product development to specialized companies, like Symantec. In exercise, the same intrinsic difficulties that make proper security difficult within a corporation also make it hard to build specialized security suites — especially when there's such enormous tension between marketing, which wants a perpetual cadence of yearly update cycles, flashy new features, glitzy UI elements, and bullet points, and the bodily task of developing and maintaining security software.

There's nothing sexy virtually a new version of Norton if the dorsum of the box reads "Updated core libraries" or "Decreased assail surface cheers to a comprehensive audit of our ain source code." Far from reassuring customers, this kind of disclosure could be read to imply that previous versions of the company's products weren't secure and didn't provide the benefits they promised. Balancing the need for this sort of comprehensive and ongoing under-the-hood security maintenance with new features and capabilities is extremely hard.

Symantec appears to have issued fixes for all of the issues Google reported. But the fact that these flaws persisted as long every bit they did is evidence that proper due diligence simply wasn't being conducted. In theory, consumers and businesses could punish Symantec for these oversights by contracting with other security vendors. In practice, there's no guarantee that products from other vendors are well-secured, either — and therefore no articulate style to determine just how secure a given security suite actually is.