Symantec is one of the most popular security tools protecting government, corporate and personal computers.
But the program has so many critical holes — which could let hackers into computers — that the U.S. Department of Homeland Security issued a stern warning to the public this week.
On Tuesday, the law enforcement agency issued an alert that “all Symantec and Norton branded antivirus products” could allow hackers “to take control” of a computer.
It’s a widespread problem.
Symantec is the fifth most popular anti-malware software, according to industry trackers at OPSWAT. It’s on millions of computers worldwide. It’s the front line of defense at companies and government offices everywhere.
And it’s particularly embarrassing for Symantec, a tech giant. To protect its customers, Symantec software is given intimate access to the inside of people’s computers — and these code flaws exploit that very trust.
That trust actually makes it easier for a virus to spread through a network of computers, according to the federal warning. If a computer simply receives an email with an infected file — or even a link to an infected website — it would be at risk.
Other cybersecurity programs would not let that happen.
Tavis Ormandy, a security researcher on Google’s elite “Project Zero” security team, discovered the flaws. He described the problem in a blog post last week.
“These vulnerabilities are as bad as it gets,” he wrote. A hacker “could easily compromise an entire enterprise fleet.”
Ormandy warned Symantec about the problem in April. The company issued some fixes last week.
“Fixes are currently in place and updates are now available,” Symantec vice president for security Adam Bromwich said in a post last week.
But it’s unclear how quickly companies and government offices will be able to update every computer on their networks.
Computer security experts have long voiced concerns that cybersecurity software is riddled with flaws. Researchers often focus lots of attention to spot mistakes in popular computer programs, but they devote little time to strengthening the popular software used as protection.
Symantec is no exception.
“By installing their software you’re actually making yourself less secure. There’s an irony in that,” said Jack Daniel, a computer security expert in Massachusetts.
Symantec said it has not yet seen hackers exploiting these bugs to enter people’s computers. But in the computer world, that could mean that no one’s been caught.