Computer security giant Symantec, which makes popular antivirus software, including the Norton brand, has been on a roller coaster lately. And on Wednesday it suffered a major black eye.
Google’s most famous security researcher, Tavis Ormandy, published a scathing blog post documenting some huge security holes he found in Symantec’s major security products being sold to enterprises.
“These vulnerabilities are as bad as it gets,” Ormandy writes.
“They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
To decode that a little: Ormandy is saying that Symantec’s holes are so serious, they could give an attacker control over Windows without doing things like tricking people into opening malware-laced attachments.
These huge holes were found in all all Symantec antivirus products, as well is its Norton antivirus brand. That’s a big embarrassment for a company whose main business is security.
Symantec jumped to fix the problems
Ormandy is part of Google’s Project Zero. That’s a Google project with a mission to improve overall computer security in the industry by poking around other companies’ software, finding holes, and convincing those vendors to fix those holes.
Ormandy also took Symantec to task for using old code with loads of widely known security holes, some dating back seven years.
“Symantec dropped the ball here,” he writes.
In Symantec’s defence, after Project Zero contacted the company, Symantec hopped to it. It fixed its products, issued a warning about them, along with information about how customers can update their products. And it promised to add “additional checks” to its security testing processes to prevent buggy security software in the future.
“Symantec takes the security and proper functionality of our products very seriously,” the company writes in its warning notice to its customers.
Symantec on a roller coaster
This black eye from Ormandy comes at a particularly troublesome time for Symantec.
Only a week ago it announced plans to acquire another security vendor, Blue Coat, for $4.65 billion in cash in a deal that was unusual for a couple of reasons.
First, the price. Symantec agreed to pay more for Blue Coat than it had generated in its last fiscal year. The company announced in May that it booked $3.6 billion in revenue for its 2016 fiscal year. (That was a drop of 9% from the previous year.)
So, to make the deal happen, Symantec leaned on private equity investors Silver Lake, who kicked in $1 billion, and Bain Capital (a major shareholder of Blue Coat) who kicked in $750 million.
Second, Symantec appointed Blue Coat’s CEO, Greg Clark, as Symantec’s new CEO. He’ll take over after the deal closes, expected to be next quarter. It’s pretty rare that a CEO of acquired companies are asked to run the company that just bought them.
But in this case, Symantec needed a new CEO. In April its board announced that CEO Michael Brown was out as soon as they could find his replacement. Brown had been in the role for barely two years. He orchestrated Symantec’s spin-out sale of its data storage unit Veritas, another strange deal where Symantec wound up getting $1 billion less than it expected from the deal.
Symantec actually has a long history of dismissing CEOs, sometimes after on a few years on the job, particularly when a big acquisition didn’t go well.
This big slam to Symantec’s reputation from one of the best known security researchers in the field is not a good sign for Clark’s upcoming new reign.