Get patching, sysadmins, there's a zero-day in Symantec Endpoint Protection (SEP).
This US-CERT advisory:
https://www.us-cert.gov/ncas/current-activity/2014/08/04/Local-Privilege-Escalation-Vulnerability-Symantec-Endpoint is alerting anyone who ignored Symatec's note about the issue:
http://www.symantec.com/business/support/index?page=content&id=TECH223338CVE-2014-3434 is a local access vulnerability with a public exploit. A client buffer overflow can cause a blue-screen-of-death on the client, which could also expose the client to unauthorised local privilege escalation.
It affects all builds of SEP client 12.1 and 11.0, and all builds of SEP 12.0 Small Business Edition. Unaffected products are SEP Manager, SEP Endpoint Protection 12.1 Small Business Edition, SEP cloud and Symantec Network Access Control.
The vuln was one of many turned up by Offensive Security in this blog post:
http://www.offensive-security.com/vulndev/symantec-endpoint-protection-0day/ Offensive Security says only some of its discoveries have been acted on, and is pimping its talk at Black Hat, at which it will detail the rest.
According to Symantec, the fault is in the sysplant driver, which doesn't properly validate external input. It's part of the SEP client's Application and Device Control component, which means disabling that component will serve as a workaround if you can't patch immediately.
Offensive Security reported the issue to Symantec on 29 July, and an exploit authored by Bradley Sean Susser of Bot24 Inc was published yesterday. Symantec has issued a patch for the issue.
(ElReg)