MANILA, Philippines – A security researcher from Google’s Project Zero reported “multiple critical vulnerabilities” in Symantec’s product line, including both home users and enterprise solutions.

Tavis Ormandy of Google’s Project Zero initiative said on Tuesday, June 28: “These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”

Ormandy’s post appears to have been made shortly after Symantec put out its own advisory. The advisory lists 17 Symantec enterprise products and 8 Norton products for consumers and small businesses, all of which use the same core engine across the product line.

Ars Technica breaks down one of the major vulnerabilities further, saying that errors in the compression tool and the unpacking system can “allow attackers to gain complete control over the vulnerable machine.” Some of the vulnerable software’s open-source code did not appear to have been updated in at least 7 years, which worsens the situation further.

The disclosed issues should be automatically installed onto most Symantec products, in the same way virus definitions are automatically updated. However, some end-users or enterprise administrators may need to input the fixes manually.

More information on the vulnerabilities is available on Project Zero or on Symantec’s advisory. – Rappler.com