Attention, small biz using Symantec AV: Smash up your PCs, it's the safest thing to do
Security patch for ridiculously bad bugs still weeks away
If you're using Symantec's Endpoint Protection Small Business Edition (SEP SBE) then you can forget about security for a week or so, as the company won't be patching the "as bad as it gets" security holes in its software for a while.
A Register reader who wishes to remain anonymous received an email from Symantec confirming users of the cloud SEP SBE package will be getting patched in the next few days. But the workstation version patches won't be pushed out until the middle of the month, and the Mac version by the end of July.
Meanwhile, if you're still using the older SEP SBE (on-premises) product, then you can forget about it – the system isn't going to get a fix for the problems that allow an attacker full run of a Symantec system without the need for a user to be involved in any way.
"Symantec has released antivirus definitions to detect and block exploitation," the company told us in an emailed statement. "In addition, updates to Symantec Endpoint Protection Small Business Edition will be available by mid-July. We recommend that customers apply these updates as soon as they are available."
That's going to be worrying for anyone using Symantec's kit, and a fairly shocking indictment of how slow Symantec has been on this. The flaws, disclosed publicly last week, were discovered and privately reported by the Google Project Zero security team in May, and gave Symantec three months to fix the issues (although in the past it's been known to extend its deadline).
The issues with Symantec's code certainly seem to run deep. The Google team found wormable remote code execution holes running through Symantec's security suite that could be exploited without any need for a dumb user to open the wrong file.
"These vulnerabilities are as bad as it gets," said Project Zero team member Tavis Ormandy. "They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible."
That a company billing itself as the world's leading security company is still scrabbling to do so speaks volumes. It also makes the SEP SBE advertising slogan "You need to feel safe" darkly comic. To make matters worse, more flaws are on the way.
Another round of testing, more new Symantec bugs. Another report on the way. #antivirus— Tavis Ormandy (@taviso) June 30, 2016
Symantec was one of the biggest security firms of the 1990s, but has since fallen from grace. It's divesting itself of non-core assets and has gone through three CEOs in as many years. If you're relying on the firm for your security, you may want to look at other options. ®