The flaw was discovered by Tavis Ormandy, a member of Google's Project Zero team.
An advisory said because Symantec uses a filter driver to intercept all system I/O, emailing a file to a victim or sending them a link was enough to exploit the vulnerability.
It said on Linux, Mac and other UNIX platforms, this would results in a remote heap overflow as root in the Symantec or Norton process.
Proof of concept exploits were also provided along with this advisory.
In its advisory, Symante acknowledged the existence of the flaw. It said it had been notified of a critical issue in the AVE scan engine when parsing incoming malformed portable-executable (PE) header files.
"Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious web site. No user interaction is required to trigger the parsing of the malformed file," the advisory read.