February 10, 2005

Even security software gets attacked

In case you haven't heard, in the last week or so a bunch of security software has been found to be vulnerable to attack. First EWeek reported that a new trojan was targeting Microsoft's AntiSpyware Beta. Sophos reports that the trojan includes a keylogger and attempts to steal credit card details, turn off other anti-virus applications, delete files, install other malicious code and download code from the Internet. All the ugly stuff you wouldn't want to have happen.

Then it was found that a major flaw exists in most Symantec products offering high-risk vulnerability and warned that a successful exploit could lead to code execution attacks.

Then most recently ISS found that F-Secure Anti-Virus, F-Secure Internet Gatekeeper and F-Secure Internet Security are vulnerable to a buffer overflow, caused by improper bounds checking when handling ARJ archives.

Look, vulnerabilities are inevitable. They will happen in software, including security software. Security software != secure software, and you need to remember that. On top of that, I don't think its fair to assume that just because flaws are detected that you should assume the product doesn't do what it says it does.

When I look at how Symantec handled its issue, I was initially frustrated with the fact they had a vulnerability in something they were not even using anymore. But that quickly turned around to respect as their response to the problem was to simply remove it... one of the 4 things you can do when you find a threat like this. (If you don't know what I am talking about... you need to get the Microsoft Press book on Threat Modelling)

FSecure was quick to fix their problem, and they should be credited for that as well. In fact I was impressed with how quickly they came out with the fix. If anything, my only disappointment would be in the fact they were not more transparent in how they dealt with it. One of my favorite blogs is the FSecure Blog. Although its written by staff in their lab... I notice they had no problem commenting on flaws in Microsoft products... but not their own. I have come to enjoy and respect their feed and would have expected them to be more open about their own issue through their blog once they released the fix. Instead they simply released an advisory and left it at that.

All and all, no software is immune to attack. How resilient it is in the face of those attacks is a different matter. And I think these guys did a good job in handling it. Of course trojans that turn off antispyware are much harder to defend against... which is why you should be running with least privilege in a method to reduce the attack surface potential of such hostile code... eliminating the ability to copy such malicious intent to system directories.

But thats just me.

UPDATE: As Xavier Ashe has pointed out, FSecure has responded and posted a quick entry on the vulnerability in their stuff. Good show.

Posted by SilverStr at February 10, 2005 02:51 PM | TrackBack
Comments

Good point,

Security software is probably one of the more vulnerable types of software since it is often put into a trust position (who is firewalling the firewall?). Security software developers and those aspiring to be (such as myself) really need to take extra precautions to make sure their software is reliable and secure, and address issues quickly and diligently when they become known.

Posted by: Christopher Baus at February 10, 2005 03:35 PM

Either as a response your posting or nice time, Fsecure has updated thier blog with a mention of thier security hole. http://www.f-secure.com/weblog/#00000465

Posted by: Xavier Ashe at February 11, 2005 07:06 AM