Norton AntiVirus for Macintosh causes Mac vulnerability
A vulnerability in Symantec Norton AntiVirus for Macintosh enables users to escalate their privileges. According to an advisory this is caused by the access rights to the /Library/ApplicationSupport folder being set incorrectly. As a result it is possible to rename or delete files and subdirectories contained within this folder. As some of the NAV programmes start with SUID privileges and access additional applications in the Application Support folder, this may allow attackers to inject arbitrary applications into this folder and execute them at root privilege level. A successful attacker needs to have Mac OS X admin privileges, but most Mac users are members of the admin group. In addition, the "Mount Scanning" and "Show Progress During Mount Scans" options need to be activated in the anti-virus programme.
Norton AntiVirus for Macintosh 9.x-10.x, Norton Internet Security for Macintosh 3.x, and Symantec AntiVirus for Macintosh 10.0 and 10.1 are affected. There are no patches or updates. Symantec suggests disabling the "Show Progress During Mount Scans" option. As an alternative, the vendor recommends setting the sticky bit for the /Library/Application Support directory (sudo/bin/chmod +t "Library/Application Support") in order to only allow the folder owner to delete files and subdirectories in the folder. Symantec also points out that using Apple's Disk Utility to subsequently repair access rights will delete the sticky bit.
- Symantec AntiVirus for Macintosh and Norton AntiVirus for Macintosh Local Elevation of Privilege, Symantec security advisory
- Security Advisory: Norton AntiVirus for Macintosh, Security advisory by W. Carrel