The "as bad as it gets" security flaws identified across the range of Symantec's security products will not be patched until mid-July, the company has warned customers.
While some patches have been rushed out to cover some of the "as bad as it gets" security flaws identified by Google's Project Zero, the patches to secure the fundamental architectural flaws are still some weeks away.
According to customers, while the cloud-based versions of Symantec's Endpoint Protection Small Business Edition will (finally) be updated this week, users of the workstation versions will have to wait weeks - Symantec has promised updates "by mid-July" and recommended that customers apply them as a matter of urgency. But in the meantime, users Symantec's security products will be vulnerable.
Google's Project Zero publicised the catastrophic flaws it found in Symantec's Norton Antivirus products last week, after uncovering them in May and reporting them to Symantec.
"These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption," warned Tavis Ormandy, in a blog posting revealing the vulnerabilities.
Ormandy criticised Symantec for the flaws, which he suggested were the result of cutting corners. For example, antivirus software typically has dedicated unpackers to get around the problem of software "packers" that compress executables.
"This causes a problem for antivirus products because it changes how executables look," he said. "Antivirus vendors solve this problem with two solutions. First, they write dedicated unpackers to reverse the operation of the most common packers, and then use emulation to handle less common and custom packers."
The problem with both of these solutions, according to Ormandy, is that they're hugely complicated and prone to vulnerabilities, making it "extremely challenging" to make such code safe.
"We recommend sandboxing and a security development life cycle, but vendors will often cut corners here. Because of this, unpackers and emulators continue to be a huge source of vulnerabilities," he said.
Other security companies have been whacked for cutting corners here, including Comodo, ESET, FireEye and Kaspersky, but Symantec runs its unpackers in the kernel of the operating system.
Symantec has come under fire for years over the quality of its security products. The company recently elected to break itself in two, selling off its Veritas storage management products business for $8bn.
It was also identified as the source of a number of rogue SSL certificates last year, for which a number of employees were fired.
J1043+2408 was observed for more than 10 years, and its radio light curve exhibited a periodic signal repeating in about 563 days
Success of Unity's test flight means Virgin Galactic is now close to taking its first paying tourist into space
V3 puts the pro-level football GPS tracker through its paces, and asks if it's more than a gimmick
Finding refutes many earlier studies that suggest that galaxies don't have much dark matter at the time of their birth