The prevalence of zero-day vulnerabilities hit close to home this week when a North American penetration tester published a report claiming they had found a vulnerability in Symantec Endpoint Protection. The reality of Symantec’s ISTR vo. 19 seeing a 64%* increase in zero-day discoveries last year came alive as the Endpoint Protection product team reacted quickly to confirm and respond to the risk with a patch (available on FileConnect).
To date, no known compromise has been reported due to this medium severity vulnerability. The issue affects the Application and Device Control component of Symantec Endpoint Protection. If exploited, it could result in a client crash, denial of service or, if successful, escalate to admin privileges and gain control of the system.
It’s important to note that the vulnerability is not remotely accessible. Meaning a hacker would require direct access to the machine to carry out an exploit. The vulnerability affects all versions of Endpoint Protection 11.x and 12.1; however, Symantec Endpoint Protection 12.1 Small Business Edition is not affected. If patching is not an option, there are other mitigating measures outlined in the related KB Article.
For customers using version 12.1 of Symantec Endpoint Protection Manager, only the client requires the update to 12.1 RU4 MP1b to patch the issue. SEP 12.1 customers are also better protected against vulnerabilities like these thanks to the advanced protection capabilities of Insight and SONAR.
More information on the vulnerability and mitigating actions can be found at the KB Article or in the official advisory.