A new vulnerability has been discovered in Symantec AntiVirus for Macintosh which may allow an user to run arbitrary code as root. An executable used by the Mount Scan feature of Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh runs with root access. A member of group admin could replace this executable with code of their choice, and gain user root access.
The weakness is caused due to insecure permissions on the "/Library/Application Support" folder. This can be exploited to execute arbitrary code as the "root" user by e.g. replacing a certain application within the affected folder or tricking the Disk Mount scanner into launching an arbitrary executable by renaming folders.
Successful exploitation requires membership of the "admin" group and that "mount scanning" is enabled and configured to show the progress.
The weakness is reported in Norton AntiVirus for Macintosh 9.x-10.x, Norton Internet Security for Macintosh 3.x, Symantec AntiVirus for Macintosh 10.0 and 10.1. Linux and Windows versions are not affected.
Solution: The vendor recommends to disable "Show Progress During Mount Scans" and to set the sticky bit for the folder "Library/Application Support" (see the vendor's advisory for details).
Best Practices Symantec recommends any affected customers apply one of the mitigation steps to protect against potential attempts to exploit this issue. As part of normal best practices, Symantec also recommends the following:
Run under the principle of least privilege to limit the impact of potential exploits.
Restrict access to computer systems to trusted users only.
Keep all operating systems and applications updated with the latest vendor patches.
Follow a multi-layered approach to security. Run both firewall and antivirus software to provide multiple points of detection and protection from inbound and outbound threats.
