If there's a lesson to be learned from last week's news that several Symantec enterprise and consumer endpoint security products have serious vulnerabilities, it's that even security tools have exploitable flaws. Buyer beware and all that.
Travis Ormandy, of Google's Project Zero team, said the vulnerabilities in Symantec's code are "as bad as it gets." Most of the flaws were in the Decomposer component, which parses various file formats, including archive files like .rar and .zip.
Symantec unpacked archives right in the kernel using "the highest privilege levels possible," which means malware compressed into one of these archives is opened in the most sensitive part of the operating system.
This could lead to remote code execution and be used to create worms that execute and spread through local networks without user interaction.
The list of affected products includes all versions of Symantec Endpoint Protection, Symantec Email Security, Symantec Protection Engine, Symantec Protection for SharePoint Server, Norton Security, Norton 360, and other legacy Norton products.
Symantec has fixed the flaws, but enterprise administrators should make sure the products are updated to receive the fixes. The automatic signature updates do not update the actual software application.
The problems are bad, especially since this is the second time Ormandy has dinged Symantec for security issues, but the company is not the only offender.
Ormandy and other members of the Project Zero team have uncovered several serious vulnerabilities in antivirus products over the past few months, including offerings from Kaspersky Lab, ESET, FireEye, Trend Micro, Sophos, McAfee, and Comodo.
But this isn't the time for enterprise customers to punish Symantec for releasing problematic code or for its design decision to unpack files in the kernel instead of adopting a sandbox as a more secure alternative.
The problem is much more pervasive throughout the security industry and reflects the broader challenge organizations face when writing secure code.
"Writing secure software is tough, but the OS vendors (such as Microsoft, and even Apple) have made great strides in recent years to harden their code -- so why can't others in the security industry do the same?" said Patrick Wardle, director of research at Synack.
In Symantec's case, the developers didn't utilize common compiler-level mitigations, such as
-fstack-protector on Linux, said Wardle.
The State of Software Security v3 report from application security vendor Veracode found that security software was the second-worst category of software for application security.
Sign up for CIO Asia eNewsletters.