|
Google's "Project Zero" released details about a number of critical vulnerabilities in Symantec's Endpoint Protection prodoct [1]. The vulnerabilities allow for arbitrary code execution on systems with this product installed. Other Symantec products are affected as well , since the vulnerabilities affect the core scanning engine in Symantec Endpoint Protection. Symantec has released updates, and given the details released by Google you should update as soon as possible. You will need to update the actual Symantec product, which is different from performing a signature update (the signature update happens automatically) [1] http://googleprojectzero.blogspot.ca/2016/06/how-to-compromise-enterprise-endpoint.html --- |
Johannes 4349 Posts ISC Handler Jun 29th 2016 |
| Thread locked Subscribe |
Jun 29th 2016 5 years ago |
|
Take this one seriously. Very deadly for those using unpatched Symantec products.
|
Anonymous |
| Quote |
Jun 29th 2016 5 years ago |
|
This IS a bad one - patch immediately!
|
mweeks 2 Posts |
| Quote |
Jun 30th 2016 5 years ago |
|
I concur that is the very serious especially given that the files are unpacked in the Windows kernel (who in their right mind unpacks anything in the kernel).
|
PW 68 Posts |
| Quote |
Jun 30th 2016 5 years ago |
|
Re: unpacking in kernel
"But we've done it that way for decades! What could possibly go wrong?" |
Jaybone 27 Posts |
| Quote |
Jun 30th 2016 5 years ago |
|
Despite this being an extremely serious vulnerability, I don't see how any enterprise would roll this out immediately.
This is a product that would touch almost each and every endpoint in an organisation. Before rolling out it would have to go through a process of testing to ensure that it does not bring with it any instability or incompatibility that wasnt present in past versions. I would expect to see at least a 2 month gap before mass rollouts happen. |
Michael 32 Posts |
| Quote |
Jul 2nd 2016 5 years ago |
|
It is amazing what you can accomplish with a sword hanging over you. The possibility of 10s of thousands of system compromised is quite motivating.
|
Michael 1 Posts |
| Quote |
Jul 3rd 2016 5 years ago |
|
Curious has anyone has confirmed if EMET can mitigate this attack.
It would be interesting to know if AV would benefit from the opt-in protections of EMET. Typically I think of high risk user apps for ideal targets with EMET (Docs, Browsers, Email, Flash, etc.) and I never considered AV as a candidate, but seems like the attacks(Heap, Pool, ROP) should be right up EMETs ally unless the level of privileges or way the unpacking is done in kernel makes EMET unable to protect the memory? |
Coalminer 3 Posts |
| Quote |
Jul 5th 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
