CVE-2016-2208 A vulnerability related to how AVE parses executable files compressed using ASPack software. The problem affects a number of Symantec and Norton, including Symantec Endpoint Antivirus, Norton Antivirus, Symantec Email Security, and the Symantec Scan Engine. As the Symantec Corporation said in its advisory on the issue dubbed CVE-2016-2208. “No user interaction is required to trigger the parsing of the malformed file.” Security researcher from the Google Project Zero Tavis Ormandy said that “For Linux, OS X, and other Unix-like systems, the exploit results in a remote heap overflow as root in the Symantec or Norton process, and On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability — this is about as bad as it can possibly get”. When Tavis Ormandy attempted to inform the Symantec about the code execution at the level of the kernel as root causes an access violation in memory, which in most cases leads to an immediate crash of the system. For the exploitation, it just only needs to send a specially crafted file and no further action is required. Symantec Mail server is out of order as soon as the company’s product unpacked the file containing the PoC-designed researcher code. The security researcher from the Google Project Zero Tavis Ormandy explained that, “This is a remote code execution vulnerability. Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it”.
Δ



