Symantec released an update to its anti-virus engine (AVE) to repair a kernel-level flaw making the software susceptible to a memory access violation when parsing a specifically-crafted portable-executable (PE) header file.
Symantec said the critical vulnerability, CVE-2016-2208, affected Symantec anti-virus engine version 2022.214.171.124. These malformed PE files do not require any user interaction to trigger the parsing of the malformed files, but they can be received through email, downloading a document or application or by visiting a malicious web site.
“The most common symptom of a successful attack would result in an immediate system crash, aka Blue Screen of Death,” the company wrote in its update.
The fix is included in Symantec AVE version 20126.96.36.199, which was delivered to customers through its live update system.
The company credited Tavis Ormandy with Google's Project Zero for reporting the vulnerability.