Anti Virus software has long been a concern of the security community. While it endeavors to protect the user’s workstation, in order to do it’s job, it requires a lot of system level permissions. This week, at least with Symantec, that came home to roost.
Tavis Ormandy a researcher from Google announced that he’d found numerous critical security vulnerabilities in Symantec’s suite of anti-virus software. That suite covers 17 enterprise software products and 8 consumer and small business products.
While some of the bugs are simple, others are quite fatal and would allow an attacker to remotely control the user’s computer.
One bug would allow the attacker to take over an entire enterprise by just sending an infected file or malicious link – without the user ever doing anything. This is because the anti-virus software has to open files and links when they arrive to see if they are malicious and that code has the flaws in it.
Ormandy says these flaws are “as bad as it gets“. He is the guy who has made a career out of finding security holes in security software. His previous finds include FireEye, Kaspersky, McAfee, Sophos and Trend Micro – pretty much everyone in the anti-virus business and then some.
While we do not know how actively hackers and foreign governments are exploiting these vulnerabilities, they probably will now if they have not been doing so in the past.
What is not clear is how come these vulnerabilities exist. After all, security companies, more than anyone else, should understand the problem of vulnerable software. Yet, apparently, they do not.
Chris Wysopal of software testing vendor Veracode had a number of comments to make about the situation. He thinks that at least some of these vulnerabilities would have been detected by the software testing products his company makes.
Symantec has now patched these vulnerabilities, but that doesn’t mean that customers have applied these patches. It also doesn’t mean that there aren’t other vulnerabilities not yet detected.
And since most of this code from Symantec and other vendors like them runs with very high privileges, this software is more likely to put your system at risk than, say, a word processor.
At a minimum, everyone needs to make sure that their anti-virus software is patched as soon as the patches are released. When they are released to you, they will be released to the hackers as well.
Ormandy says that maybe the anti-virus vendors did not understand that they had a problem, but I have a hard time believing that. More likely, they figured that they could get away with not spending too much effort at testing their software. Mr. Ormandy is on a mission to prove that theory wrong and I think he is doing pretty good at that mission.
Information for this post came from Wired.