Instead of targeting weaknesses in operating systems, those who write viruses and worms are increasingly targeting security applications themselves.
According to the annual Top 20 Vulnerabilities report issued by the SANS Institute, hackers have shifted their focus toward exploiting popular security products as a way to infect the PCs of unsuspecting users.
Some of the largest vendors in the industry have been targeted, the report noted, including Symantec, McAfee, Computer Associates, and Trend Micro.
The shift is cause for concern, SANS officials stated, because users do not regularly look for problems associated with security applications in the same way they keep watch on their e-mail programs or operating systems.
Seeing security applications turned into targets is not surprising to some security experts, who note that it makes sense, given how attackers work.
"If you want to do damage or steal information, first you pick an application used by a lot of people," said Secunia researcher Thomas Kristensen. "Best of all would be one that people trust, and security software certainly fits in that category."
Because of the prevalence of security risks as a result of the vast number of viruses, Trojans, and other malware circulating on the Internet, most people have installed security software on their computers and do not expect that these applications would be vulnerable to attack.
But this software is just as vulnerable as any other kind. And given that Internet security suites are very complex, the time between identified vulnerability and issued patch is sometimes several days, a delay that can give hackers an opening.
Several major Internet security suites have been targeted this year already and the companies developing these packages have been sensitive to the issues, attempting to anticipate the assaults on their applications.
Because most consumers who run Windows machines have at least antivirus software installed, the vendors are recognizing the importance of patching their applications quickly whenever a vulnerability is exposed.
Kristensen noted that, as the attacks increase, the firms will probably have to increase their efforts and add more user education into the mix.