Symantec Vulnerability: What Should You Do?

Symantec Vulnerability: What Should You Do?

Unless you’ve been buried under a rock, if you’re a security professional you already know about the “as bad as it gets” security breach in Symantec’s antivirus software, which exposes Mac, Windows, and Linux machines–virtually any networked device–without requiring any user interaction whatsoever.

Google’s cybersecurity team–which discovered the flaws–announced the development privately to Symantec, which issued an advisory on June 28. In that advisory Symantec says it knows of no exploits to date–but that will change unless security professionals take action fast.

What action? First off, you need to ensure that every device is updated. Do this now. Symantec has issued updates, but the Symantec software will not update automatically.

Secondly, it may be time to revisit your endpoint security strategy. Relying on a single vendor or solution isn’t enough–and keep in mind that this isn’t a ding on Symantec per se. Google points out that it has uncovered serious issues in a range of other security products inlcuding Comodo Antivirus, ESET, Kaspersky, FireEye, McAfee, Avira, and TrendMicro. So putting all your eggs in one basket isn’t wise.

Finally–and this is something that only the largest enterprises and organizations can likely pull off–it’s time to put your security vendors on the hot seat.

Google researcher Travis Ormandy points out that the Symantec flaw results from corner-cutting within Symantec’s development. I can’t say it any better than he has, so here goes:

As with all software developers, antivirus vendors have to do vulnerability management. This means monitoring for new releases of third party software used, watching published vulnerability announcements, and distributing updates.

Nobody enjoys doing this, but it’s an integral part of secure software development.

Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries like libmspack and unrarsrc, but hadn’t updated them in at least 7 years.

In other words: the security software provided by Symantec injected massive amounts of risk into an enterprise network.

That’s the classic example of “third party risk”–and most enterprise organizations manage it poorly. They simply assume that a product or service is secure because the vendor says so, or is a market leader, or because it’s too difficult to address (if you have to babysit your vendors, how do you find time to do your day job?).

Unfortunately, regardless of the reason, blindly trusting vendors is no longer acceptable. And as noted, this problem doesn’t begin or end with Symantec. I’m sure the CISO of every Fortune 200 organization is on the phone with Symantec, but that’s not a long-term fix. What’s needed is to develop a solid third-party risk management assessment and mitigation initiative–and then subject all vendors to it.

So your third action item, after addressing the other two, is to revisit your third party risk assessment processes. Not everybody can support a fully-staffed third party risk organization–but you can’t afford to ignore the problem, either.

But that’s for later. If you haven’t upgraded your Symantec software… stop reading and do it now! The rest can wait.

Good links:

Google Security Advisory

Bug List

Symantec Security Advisory

Share this post