Computer security giant Symantec, a Fortune 500 company that has been providing antivirus software solutions for more than 35 years, is once again facing a consumer class action complaint based on the alleged unreliability of its products. The Symantec class action lawsuit was initially filed in April 2018, and it covered a span of more than 10 years during which the company reportedly sold defective products to consumers under the Norton and Symantec brands.
Generally, Symantec sells network security products on a retail basis under the Norton brand; the Symantec brand is more commonly associated with enterprise solutions such as the Advanced Threat Protection. Both Norton and Symantec products contain a software system known as the AntiVirus Decomposer Engine, which has been in use since 2005, the beginning of the class action lawsuit period, which culminates in 2016.
The AntiVirus Decomposer Engine is at the heart of the lawsuit. In April 2016, a team of information security experts working on behalf of internet giant Google contacted Symantec about certain vulnerabilities in aforementioned engine, which decompresses executable digital files for the purpose of scanning them and potentially detecting malicious code embedded therein. Project Zero is the name of the network security team put together by Google in 2014; since then, team members have detected critical flaws and vulnerabilities in the Microsoft Windows operating system, the Cloudflare hosting security network, the Meltdown and Spectre microprocessor flaws, and other major discoveries.
With regard to this Symantec class action lawsuit and the engine mentioned above, Project Zero noticed that legacy open source code used to develop Norton and Symantec products was vulnerable to malicious attacks. Even though various patches and fixes were released by the open source community as well as by third parties to address these issues, the class action lawsuit affirms that Symantec failed to make remedial updates; moreover, Project Zero also noticed that Symantec did not apply the principle of least privilege when designing the engine, thus conducting file decompression and virus scanning in sensitive sectors of operating systems.
Project Zero’s comments on the Symantec strategy explain that the antivirus company actually made computers and networks more vulnerable to malicious attacks. In the case of Linux and Mac OS X systems, hackers could perform a clean overflow attack as if they had root privileges. As for machines running the Windows operating system, attacks could be perpetrated by taking advantage of kernel memory corruption issues.
Applying the principle of least privilege is something that can be accomplished through sandbox environments, which Symantec did not get around to doing until 2017. What this means for consumers and business owners who installed Norton and Symantec antivirus solutions from 2005 to 2016 is that their systems were actually vulnerable as indicated by the security experts at Project Zero. Interestingly, a class action lawsuit for defective Norton antivirus products was filed in 2017 by plaintiffs in Quebec, and punitive damages were sought in that particular Canadian case.
The crux of this class action lawsuit goes beyond trying to get refunds for plaintiffs who purchased Norton and Symantec products during the 2005-2016 period; there are issues related to misrepresentation and false advertising as well as serious omissions by Symantec. By neglecting to patch the affected open source code and waiting to implement a sandbox environment, Symantec essentially made computers and networks virtual honeypots for hackers to ply their wicked trade. There may be room for demanding damages to be paid by Symantec if the AntiVirus Decomposer Engine resulted in systems being attacked, networks breached and data stolen.