U.S. Department of Homeland Security US-CERT   
      
   National Cyber Awareness System:   
      
      
      
   TA16-187A: Symantec and Norton Security Products Contain Critical    
   Vulnerabilities   
   07/05/2016 10:50 AM EDT   
      
      
   Original release date: July 05, 2016   
      
   Systems Affected   
   All Symantec and Norton branded antivirus products   
      
   Overview   
   Symantec and Norton branded antivirus products contain multiple    
   vulnerabilities. Some of these products are in widespread use throughout    
   government and industry. Exploitation of these vulnerabilities could allow a    
   remote attacker to take control of an affected system.   
      
   Description   
   The vulnerabilities are listed below:   
      
   CVE-2016-2207   
      
   Symantec Antivirus multiple remote memory corruption unpacking RAR [1]   
      
   CVE-2016-2208   
      
   Symantec antivirus products use common unpackers to extract malware binaries    
   when scanning a system. A heap overflow vulnerability in the ASPack unpacker    
   could allow an unauthenticated remote attacker to gain root privileges on   
   Linux    
   or OSX platforms. The vulnerability can be triggered remotely using a   
   malicious    
   file (via email or link) with no user interaction. [2]   
   CVE-2016-2209   
      
   Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow [3]   
   CVE-2016-2210   
      
   Symantec: Remote Stack Buffer Overflow in dec2lha library [4]   
   CVE-2016-2211   
      
   Symantec: Symantec Antivirus multiple remote memory corruption unpacking   
   MSPACK    
   Archives [5]   
   CVE-2016-3644   
      
   Symantec: Heap overflow modifying MIME messages [6]   
   CVE-2016-3645   
      
   Symantec: Integer Overflow in TNEF decoder [7]   
   CVE-2016 -3646   
      
   Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink    
   [8]   
      
      
   Impact   
   The large number of products affected (24 products), across multiple platforms    
   (OSX, Windows, and Linux), and the severity of these vulnerabilities (remote    
   code execution at root or SYSTEM privilege) make this a very serious event. A    
   remote, unauthenticated attacker may be able to run arbitrary code at root or    
   SYSTEM privileges by taking advantage of these vulnerabilities. Some of the    
   vulnerabilities require no user interaction and are network-aware, which could    
   result in a wormable-event.   
      
   Solution   
   Symantec has provided patches or hotfixes to these vulnerabilities in their    
   SYM16-008 [9] and SYM16-010 [10] security advisories.   
      
   US-CERT encourages users and network administrators to patch Symantec or   
   Norton    
   antivirus products immediately. While there has been no evidence of    
   exploitation, the ease of attack, widespread nature of the products, and    
   severity of the exploit may make this vulnerability a popular target.   
      
   References   
   [1] Symantec Antivirus multiple remote memory corruption unpacking RAR   
   [2] How to Compromise the Enterprise Endpoint   
   [3] Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow   
   [4] Symantec: Remote Stack Buffer Overflow in dec2lha library   
   [5] Symantec: Symantec Antivirus multiple remote memory corruption unpacking    
   MSPACK Archives   
   [6] Symantec: Heap overflow modifying MIME messages   
   [7] Symantec: Integer Overflow in TNEF decoder   
   [8] Symantec: missing bounds checks in dec2zip    
   ALPkOldFormatDecompressor::UnShrink   
   [9] Symantec SYM16-008 security advisory   
   [10] Symantec SYM16-010 security advisory   
   Revision History   
   July 5, 2016: Initial Release   
      
   ----------------------------------------------------------------   
   --------------    
   -   
      
   This product is provided subject to this Notification and this Privacy & Use    
   policy.   
      
      
   ----------------------------------------------------------------   
   --------------    
   -   
   A copy of this publication is available at www.us-cert.gov. If you need help   
   or    
   have questions, please send an email to info@us-cert.gov. Do not reply to this    
   message since this email was sent from a notification-only address that is not    
   monitored. To ensure you receive future US-CERT products, please add    
   US-CERT@ncas.us-cert.gov to your address book.   
   OTHER RESOURCES:   
   Contact Us | Security Publications | Alerts and Tips | Related Resources   
   STAY CONNECTED:   
   Sign up for email updates   
      
   SUBSCRIBER SERVICES:   
   Manage Preferences  |  Unsubscribe  |  Help   
      
      
   ----------------------------------------------------------------   
   --------------    
   -   
   This email was sent to Fido4cmech@lusfiber.net using GovDelivery, on behalf   
   of:    
   United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW    
   Bldg 410 · Washington, DC 20598 · (888) 282-0870  Powered by GovDelivery   
   === Cut ===   
      
      
   -+-   
   Keep the faith   :^)   
      
      Ben  aka cMech  Web: http|ftp|binkp|telnet://cmech.dynip.com   
                    Email: fido4cmech(at)lusfiber.net   
                 Home page: http://cmech.dynip.com/homepage/   
              WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1   
      
   --- GoldED+/W32-MSVC v1.1.5 via Mystic BBS   
    * Origin: FIDONet - The Positronium Repository (1:393/68)