Symantec released an update to its anti-virus engine (AVE) to repair a kernel-level flaw making the software susceptible to a memory access violation when parsing a specifically-crafted portable-executable (PE) header file.
Symantec said the critical vulnerability, CVE-2016-2208, affected Symantec anti-virus engine version 20220.127.116.11. These malformed PE files do not require any user interaction to trigger the parsing of the malformed files, but they can be received through email, downloading a document or application or by visiting a malicious web site.
“The most common symptom of a successful attack would result in an immediate system crash, aka Blue Screen of Death,” the company wrote in its update.
The fix is included in Symantec AVE version 2018.104.22.168, which was delivered to customers through its live update system.
The company credited Tavis Ormandy with Google's Project Zero for reporting the vulnerability.