Symantec’s problems fixing bugs in its archive parser discovered by Google’s antivirus bug-hunter Tavis Ormandy aren’t quite over yet.
Symantec has released patches for two bugs affecting its consumer Norton security products for Windows and Mac systems, and several enterprise products including Symantec Endpoint Protection.
According to Symantec, the medium severity bugs affect a component of its antivirus engine called “decomposer”, which is used in several of its products to parse archive files, such as RAR and ZIP.
This is the same component Ormandy previously discovered dozens of bugs in that prompted patches from Symantec in June. While both agreed the June fixes were critical, Symantec and Ormandy disagree over the impact of the two latest bugs.
Symantec said in an advisory on Tuesday that “parsing of maliciously formatted RAR container files may cause an application-level denial of service condition”.
However, Ormandy, a member of Google’s Project Zero team, claimed the two bugs fall into the more serious category of remote code execution.
Users of Norton-brand and key Symantec’s enterprise products should receive an automatic update via its LiveUpdate service, though some products need a manual update.
Semantics aside, Ormandy’s ongoing work has shone a light on security products, which are expected to have the highest standards of security, given their purpose and that their makers often hold others to account for insecure coding practices. Also, as was highlighted by in Symantec’s June fixes, the decomposer component runs with the highest possible privileges on Windows systems.
The Google security researcher reported the current issues to Symantec on June 30, shortly after Symantec’s first stab at fixing decomposer. His report in Project Zero’s database has now been unlocked following Symantec’s patches.
According to Ormandy, the original set of bugs were due to Symantec using an “ancient” and bug-riddled version of UnRAR, the application it used for unpacking RAR files in its security products.
He explains the new set of bugs — “remote code execution vulnerabilities at the highest possible privilege level” — stem from Symantec not addressing the root cause of the previous bugs.
“I had expected Symantec to rebase on 5.4.2 (the latest version [of UnRAR] as of this writing), but they appear to have just backported fixes for the few issues I sent them,” he wrote.
“Here are two known bugs in unrar that are fixed upstream, but not in Symantec's ancient code. If they continue to refuse to rebase, this might take a few iterations to shake the bugs out.”
A Symantec Australia spokeswoman referred to the advisory stating the bugs were denial of service issues when asked for comment by CSO Australia.