Through the security flaws, hackers can compromise a machine with unopened emails or unclicked links.
The team of security analysts from Google Project Zero found that the newly uncovered vulnerabilities are impacting millions of people who run endpoint security and antivirus software from the two firms.
According to the researchers, the flaws were found on all 17 Symantec brand enterprise products and eight consumer and small business Norton brand products.
“These vulnerabilities are as bad as it gets,” Tavis Ormandy, an information security engineer at Google, wrote in a Project Zero blog post earlier this week.
“They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption,” he continued.
Earlier this year, Ormandy revealed that a password management tool from security firm Trend Micro was found to be vulnerable to remote code execution. He discovered bugs in the antivirus programs that could actually provide an entryway for hackers to steal all of a user’s passwords.
Ormandy said that even after Trend Micro issued an initial fix to the issue, the password management tool was still left exposed to roughly 70 API calls.
“I sent a mail saying, ‘That is the most ridiculous thing I’ve ever seen,’” Ormandy said in email messages he posted, documenting his exchange with Trend Micro.
“I don’t even know what to say — how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?”
In his messages to the security firm, Ormandy pointed out the severity of distributing a password management tool that exposes the sensitive data it is built to keep secure.
“Anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction. I really hope the gravity of this is clear to you, because I’m astonished about this,” Ormandy said in an email message.
Update (July 5, 2016):
On Tuesday (July 5), the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) issued an alert to the security industry concerning the vulnerabilities discovered in Symantec’s anti-virus software, Reuters reported. The agency called the situation a “very serious event” and had advised customers to proceed with updating their software via two security patches provided by Symantec.