Symantec holes "as bad as it gets"; $250m to fix Telstra problems; ADSL regulation inquiry
Google’s Project Zero team has published details of “multiple critical vulnerabilities” that it claims to have discovered in security products from Symantec and its division, Norton.
Project Zero researcher Tavis Ormandy detailed some of the vulnerabilities in a blog post titled ‘How to Compromise the Enterprise Endpoint’.
Ormandy wrote that many of the Symantec vulnerabilities that Project Zero discovered were “wormable remote code execution flaws”.
“These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption,” he wrote.
According to the Project Zero researcher, Symantec uses the same core engine across its entire product line, and as a result, “all Symantec and Norton branded antivirus products are affected by these vulnerabilities”.
Some of the products affected by the vulnerabilities cannot be automatically updated, Ormandy said, adding that “administrators must take immediate action to protect their networks”.
The blog post included a link to relevant advisories for customers that Symantec has published.
Ormandy’s blog post provided specifics on several of the vulnerabilities that Project Zero claimed to have found. In the case of one of the vulnerabilities, “just emailing a file to a victim or sending them a link to an exploit is enough to trigger” the vulnerability, the researcher wrote.
“[T]he victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers,” he wrote.
An attacker could “easily” compromise an entire enterprise fleet using such a vulnerability, the researcher said.
Ormandy said that on top of the vulnerabilities detailed in his post, “we also found a collection of other stack buffer overflows, memory corruption and more”.
“Thanks to the Symantec Security Team for their help resolving these bugs quickly,” he wrote.
Telstra pledges $250 million for network
Telstra has said it will spend $250 million on upgrading its network, after several recent high-profile network interruptions.
Andrew Penn, the company’s CEO, made the announcement on the Telstra Exchange website.
Penn acknowledged and apologised for the network interruptions that customers have experienced in recent times, saying: “All of us at Telstra are deeply sorry for the inconvenience this has caused.”
The CEO said that Telstra is “very advanced” into the implementation of recommendations that came out of a review into the company’s mobile network. “We have also recently completed an end-to-end review of our core network and IT systems, pinpointing sources of potential risk.
“As a result of this work we will be investing $250 million from our existing capital program, within our 15% capex to sales ratio, over the next 6 to 12 months to provide a higher degree of network resilience and improved network performance,” Penn wrote.
He said the $250 million figure will include investment in three areas:
- Enhancing the mobile network’s resiliency,
- Improving reliability and resiliency within the core network, and
- Increasing ADSL broadband capacity.
ACCC’s ADSL regulation inquiry
The ACCC has launched a public inquiry into whether ADSL should continue to be regulated.
A bit of background: the ACCC has the ability to ‘declare’ a service, meaning that the owner of the network must provide access to the service on request. Where commercial agreement can’t be reached, the ACCC must determine regulated price and non-price terms.
“Declaration ensures all service providers have access to the infrastructure they need to supply competitive communications services to end users,” the ACCC explained.
The ACCC first declared access to the wholesale ADSL service in February of 2012. The commission is required to review this declaration before it expires in February 2017.
“A number of changes have occurred since the wholesale ADSL service was first declared in 2012, including the progressive rollout of the National Broadband Network,” ACCC Commissioner Roger Featherston said.
“This inquiry will assist the ACCC in determining whether continued declaration of the wholesale ADSL service is in the long-term interests of end users,” Featherston said.
The ACCC is seeking public comment on a range of issues relevant to the inquiry, with submissions due by 29 July this year.
More information is available on the ACCC website.
Strategies for navigating Java vulnerabilities
Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...
Not all cyber risk is created equal
The key to mitigating cyber exposure lies in preventing breaches before they happen.
How AI can help businesses manage their cyber risks
Artificial intelligence can be a powerful ally in the fight against cyberthreats.