Researches with Googles Project Zero security team announced on Wednesday a major vulnerability affecting nearly all Symnatec snake-oil antivirus products. The kernel vulnerability requires no user action, which would allow attackers to corrupt system memory without requiring users to even open an email used to trigger the flaw.
These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.
Symnatec indicated they were not aware of anyone actually exploiting the bug as of yet, and responded by making a new panacea that supposedly fixes the problem.