Multiple critical security vulnerabilities have been discovered in a range of Symantec products, including major consumer and enterprise releases such as Norton Security, Endpoint Protection and legacy offerings such as Norton anti-virus.
The bugs, which reportedly impact Windows, Mac and Linux platforms, were exposed by Google Project Zero researcher Tavis Ormandy and described as "as bad as it gets." He continued: "[The flaws] don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible.
"In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers."
The flaws, the researcher explained, could allow attackers to effectively infiltrate entire computer systems – in some cases a hacker could exploit the bugs with the use of one malicious email.
In his in-depth research notes, which were only released after the issues were responsibly reported to Symantec, Ormandy said some of the infected products were using open-source code that, in some instances, had not been updated in seven years.
"Symantec dropped the ball here," he asserted. "Dozens of public vulnerabilities in these libraries affected Symantec, some with public exploits. We sent Symantec some examples, and they verified they had fallen behind on releases."
For its part, Symantec released its own security advisory on 28 June which outlined the slew of problems and vulnerabilities. It also admitted over 25 product lines were impacted by the critical bugs and listed steps users should now take to update. It did add: "Symantec is not aware of these vulnerabilities being exploited in the wild."
Users are now being urged to check the advisory as Symantec noted that not every update will automatically install – especially in some enterprise versions. The news is the latest in a long-line of issues exposed by Google's crack research team.
Security flaws in software released by major security firms including FireEye, Trend Micro, Eset and Kaspersky Lab have all been disclosed over the past five years. However, this is not the first time Symantec has been the focus of Ormandy's research.
In May, the same computer expert revealed a flaw that could be exploited to give hackers "complete control" of a computer system using a 'remote code execution' bug in Symantec's product line-up. Like the most recently-revealed flaw, the cross-platform issue could also be used to attack Windows, Mac and Linux systems.