Dive Brief:
- Popular security suites from Symantec and Norton "contain critical vulnerabilities," the Department of Homeland Security said Tuesday.
- The warning, issued by US-CERT, comes less than a week after Google also issued a warning about the products.
- Symantec, which issues products under its own name and the Norton brand, has released patches for the vulnerabilities. Still, many users may not have installed those patches.
Dive Insight:
This is a potentially massive problem, even though hotfixes have been issued. Norton and Symantec products are among the most popular in the field and are installed in everything from smartphones to massive enterprises. Again and again, hackers have exploited systems where security patches haven't been installed, so it's a reasonable assumption that this will happen here.
"The large number of products affected (24 products), across multiple platforms (OSX, Windows, and Linux), and the severity of these vulnerabilities (remote code execution at root or SYSTEM privilege) make this a very serious event," US-CERT wrote in the warning. "A remote, unauthenticated attacker may be able to run arbitrary code at root or SYSTEM privileges by taking advantage of these vulnerabilities. Some of the vulnerabilities require no user interaction and are network-aware, which could result in a wormable-event."
Last week, a Google security expert ripped into Symantec, calling the vulnerabilities "as bad as it gets." Google discovered the vulnerabilities and alerted Symantec.