Symantec scrambles to patch severe holes in 26 products

Symantec enterprise and Norton security product users are being urged to patch their applications immediately after multiple dangerous vulnerabilities were discovered.

The security firm has advised that 17 enterprise security products and nine Norton consumer offerings are affected.

Google Project Zero researcher Tavis Ormandy discovered the flaws. The most serious is that the products unpack compressed executables in the operating system kernel to analyse them for malicious code.

He said this dangerous practice means the vulnerability can be exploited by simply sending a link or an email - users don't need to do anything to activate an attack.

It is also possible to exploit the decomposer library in the core scan engine of Symantec's antivirus products and Endpoint Enterprise Protection applications to remotely execute code at the Windows system level, Ormandy found.

"These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," he wrote.

"In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."

Ormandy found eight serious vulnerabilities in Symantec's security products, potentially affecting millions of enterprise users and consumers who have not patched their systems.

The flaws include buffer and integer overflow vulnerabilities, as well as exploitable memory corruption bugs that could lead to local application denial of service and remote code execution, Symantec warned.