Google’s “project zero” team, a group of security analysts tasked with hunting for computer bugs, discovered a heap of critical vulnerabilities in Symantec (SYMC) and Norton security products. The flaws allow hackers to completely compromise people’s machines simply by sending them malicious self-replicating code through unopened emails or un-clicked links.
The vulnerabilities affect millions of people who run the company’s endpoint security and antivirus software, rather ironically to protect their devices. Indeed, the flaws rendered all 17 enterprise products (Symantec brand) and eight consumer and small business products (Norton brand) open to attack.
In the words of Tavis Ormandy, an English hacker who works on the Google (GOOG) team: “These vulnerabilities are as bad as it gets”—and have “potentially devastating consequences.”
Get Data Sheet, Fortune’s technology newsletter.
“An attacker could easily compromise an entire enterprise fleet using a vulnerability like this,” Ormandy writes on a Google blog. “Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.”
Ormandy’s post published soon after Symantec issued advisories of its own, which credit him for reporting the bugs. “An attacker could potentially run arbitrary code by sending a specially crafted file to a user,” the notice warns, before mentioning that the company has “verified these issues and addressed them in product updates.”
For more on Symantec, watch:
The vulnerabilities affect a “decomposer engine”—a program that unpacks compressed files in order to help scan for potentially malicious ones—that’s used across Symantec’s products. “It’s extremely challenging to make code like this safe,” Ormandy writes. To avoid such problems, Ormandy recommends that security vendors use sandboxing, a technique that detonates suspicious code in a secure, virtual environment, as well as security-first software development strategies.
Ormandy further demonstrated that the flaws can be exploited to propagate computer worms, meaning virally infectious malware. “Just emailing a file to a victim or sending them a link to an exploit is enough to trigger it,” he says, “the victim does not need to open the file or interact with it in anyway.”
Symantec, which recently purchased the Bain Capital-backed cybersecurity firm Blue Coat for $4.65 billion, also employed open source code that it failed to update even after seven years of use, Ormandy notes. He lists the additional vulnerabilities in that code here.
Ormandy has been on a tear rooting out similarly nasty computer bugs. He helped identify comparable flaws—known technically as buffer overflows and memory corruption vulnerabilities—in products developed by the cybersecurity companies Comodo, ESET, Kaspersky, Fireeye (FEYE), Intel (INTC) Security’s McAfee, Trend Micro (TMICY), and others in recent years.
Customers of Symantec should visit the company’s website to learn which products have been updated automatically, and which require manual updates.
