DHS: Security Holes in All Symantec Programs a ‘Very Serious Event’

On Tuesday, the Homeland Security Department warned of severe security holes in all Symantec and Norton antivirus programs, including those widely used throughout the government.

Late last year, Congress granted DHS new powers to scan agency networks for intruders using a federal firewall called EINSTEIN. 

DHS spokesman Scott McConnell said in an email Tuesday that the department “provides a common baseline of security across the civilian government and helps agencies manage their cyber risk,” and "each federal agency is responsible for its cybersecurity."

As for its own internal response, the DHS Enterprise Security Operations Center is tracking patches of the Symantec vulnerabilities across the department, a Homeland Security official told Nextgov on background.  

The weaknesses impact 24 security products, including Symantec Endpoint Protection, Symantec Email Security, Norton Security and Symantec Protection for SharePoint Servers.

"Some of these products are in widespread use throughout government and industry. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system," DHS officials said in an alert published through the National Cyber Awareness System. 

The federal government has awarded Symantec contracts worth $63 million since 2008, according to USASpending.gov. 

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Homeland Security also provides a link to a Google researcher's depiction of the situation.

"These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," Tavis Ormandy, of Google's Project Zero team, wrote in a company blog post June 28.

The DHS U.S. Computer Emergency Readiness Team recommends users and system administrators fix their Symantec programs immediately. 

But some of the products cannot be automatically updated, requiring administrators to take manual action on their networks.

Google’s Ormandy reported the security flaws to Symantec and helped devise fixes, according to the antivirus company.

Symantec's official advisory regarding the security issue is here.

The large number of vulnerable products -- across Apple, Windows and Linux operating systems -- "and the severity of these vulnerabilities ... make this a very serious event," Homeland Security officials said.

While U.S. CERT does not have evidence indicating hackers have exploited the holes, the ubiquity of the products and gravity of the security problem essentially make Symantec software a bull's eye, or, as the department terms it, "a popular target."