Symantec has urged users of its Norton antivirus to update the software, after it was found to contain a huge security ﬂaw.
Google security researcher Tavis Ormandy discovered a vulnerability that, if exploited by hackers, could let them to take control of a computer. An attack would be terribly simple to carry out – the hacker would just need to email a ﬁle to a computer to gain entrance to it. The victim wouldn’t even need to open the email.
Ormandy said that a ﬂaw on this scale “is about as bad as it can possibly get”. Symantec responded by ﬁxing it with an update (called CVE-2016-2208). To get this, Norton users should update their antivirus through Symantec’s LiveUpdate tool. The company tried to assure users by saying that it wasn’t aware of hackers exploiting the ﬂaw.
Ormandy works for Google Project Zero, a team of cyber security experts that look for bugs known as zero-day ﬂaws – so-called because once they are made public, the software’s developer has ‘zero’ days to ﬁx them before hackers can take advantage.
When the researchers ﬁnd vulnerability, they give the company in charge a 90-day deadline to release a ﬁx. If this doesn’t arrive in time, they publicly reveal the ﬂaw, allowing hackers to pounce. Some security experts have called this policy deeply reckless.
Project Zero’s biggest scalp came two years ago when it shamed Microsoft about not ﬁxing a ﬂaw in Windows 8.1. Google’s researchers said they told Microsoft about the problem on 30 September 2014, but were still waiting for a ﬁx 90 days later. Microsoft finally ﬁxed the ﬂaw in mid-January, two weeks after Project Zero exposed it online.