Symantec’s core scan engine has a critical vulnerability which lets attackers remotely execute code on a victim’s machine just by sending them an email or a link. The victim doesn’t even need to open it. It just has to be scanned by the AV program. The scan engine uses a filter driver to intercept I/O operations at the kernel level. In its advisory, Symantec acknowledged the existence of the flaw. It said it had been notified of a critical issue in the AVE scan engine when parsing incoming malformed portable-executable (PE) header files.
“Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious web site. No user interaction is required to trigger the parsing of the malformed file,” the advisory read.
The Guru asked several security experts what they thought of this vulnerability.
Adam Vincent, CEO, ThreatConnect Inc:
“I don’t think anyone in the cybersecurity industry believes there is such a thing as a 100% hardened system, no matter how big your organisation or how talented. So, finding a vulnerability shouldn’t be news. In this case unfortunately, this is the Godzilla of vulnerabilities – making all the others seem small and insignificant.
Symantec moved quickly when this was discovered. We applaud their speed of communication and response. Instead of picking apart one particular vulnerability, we should understand the risk that comes from a vulnerability of this magnitude and admitting there are gaps in our security which allow vulnerabilities – whether Godzilla-sized or seemingly innocuous – to be exploited. The speed at which technology is evolving and the complexity of how to respond creates holes that allow attackers to get a foothold into your business.
We work with organisations of all sizes across different verticals, and we see the top performers addressing the same issue – the fragmentation of their security. They look not to just patch the latest vulnerability, but rather find ways to connect individuals across their organisation – from their GRC team and their IR team, to their supply chain partners and peers in their industry – to benefit from one another’s’ knowledge. Then, they use the intelligence derived from that collaboration to take it a step further through integration of their many tools. And, all of that leads to rapid detection and response which addresses the next vulnerability or threat found in a systematic, process-driven manner.
Gartner is predicting that by 2020, 60% of enterprise information security budgets will be allocated to rapid detection and response approaches. We should all be asking ourselves if we are making those investments now to close the gaps in our security and get ahead of the threats we face.”
Fraser Kyne, regional SE director at Bromium:
“The fact that AV isn’t enough to protect from modern threats has been accepted in the industry for a long time – even by the AV vendors themselves. However, the realisation that security software itself can actually introduce new vulnerabilities will be a shock to many. There is a simple rule: more code equals more vulnerabilities. When you install software, you add to the attack surface of the machine. AV is no exception. Add to this that malware detection rates are terrible, and that detection in concept is largely useless for polymorphic, targeted, 0-day malware, and it starts to question the use of AV at all. We have to reduce the attack surface of our systems and effectively isolate dangerous activity away from our important business processes. The concept that we have a trusted system that is also being used to browse the Internet and open emails forces us to take this seriously – or face the consequences. Common wisdom is to apply a layered approach of defence-in-depth. But if you do this without layers of separation/isolation and rely on detection at each layer, then you’re kidding yourself and wasting your money. Tools like microvirtualization must be considered in order to fill the gaps.”
Aftab Afzal, SVP & GM EMEA at NSFOCUS IB:
“This is a very unfortunate incident for Symantec, however no security solution is infallible, so that’s why defence in depth with multilayered controls is always the recommended approach. Attack vectors continue to evolve, and this is clearly not the first time we have seen antivirus being reversed engineered. The endpoint is last in the line, therefore putting in place cloud, perimeter or sandbox environments will limit the impact. Using the latest vulnerability & threat intelligence, whilst working with a diverse range of vendors, can reduce the risk. Smart vendor selection will meet most all budgets.”
Federico de la Mora, VP EMEA at Lastline:
“Antivirus tools offer limited benefits, if any. The email service supplier or a signature-based email gateway are likely to stop almost all the known viruses or Malware before it reaches the email client. However, signature based AV is likely to miss most zero-days and targeted attacks hiding within email attachments and URL links. Ironically, web browsers are another door for Malware to enter the organisation. However, modern browsers are very capable at blocking Web sites based on a black list for instance to warn users when accessing Web sites used for phishing attacks. Based in my conversations with some customers, there is some frustration within the end user community about the limitations of signature based solutions and the need for automated detection and protection against zero-day and targeted attacks.”
