Is there nothing sacred in the world of IT security? For years, McAfee Inc., Symantec Corp., and other antivirus software makers have helped companies keep their systems free of worms, Trojans, and other prickly pieces of code that can wreak havoc. Now these very same PC guardians are exposed for selling products that also are vulnerable to malicious attacks.
Vulnerabilities found recently in McAfee, Symantec, and Trend Micro software could let hackers compromise and even control computers running certain versions of their products. While most antivirus software is distributed via a network download, making it difficult for a hacker to get to the code, these flaws further highlight the problems with the antivirus industry's traditionally reactive approach to protection, and even could open the door a little wider for Microsoft's push into this market.
Symantec earlier this week revealed that its antivirus library is prone to multiple heap-based buffer overflow vulnerabilities, which attackers could exploit to compromise computers running applications that use these libraries for virus protection. The problem affects various releases of Symantec Norton SystemWorks, Symantec Norton Internet Security, Symantec Norton AntiVirus, Symantec Gateway Security, Brightmail Anti-Spam, and Symantec Client Security.
Security researcher Alex Wheeler was the first to report this most recent Symantec vulnerability, just as he did in February when, as a member of rival Internet Security Systems' X-Force research group, he discovered a vulnerability in the antivirus library that affected Symantec's Brightmail AntiSpam, AntiVirus Corporate Edition, and other products. That vulnerability threatened to let attackers exploit the library's DEC2EXE module, part of the scanning engine that's able to peek into Ultimate Packer for eXecutables, compressed executable files, and likewise create a heap-based buffer overflow problem.
As Symantec was scrambling to create a fix to its latest security flaw, competitor McAfee this week issued an alert saying that various versions of its VirusScan software were prone to an arbitrary file overwrite vulnerability that could let attackers create and modify arbitrary files. Attackers could exploit a flaw that exists within a data link library used by McAfee products to write data to the victimized PC. In other words, the very software that was supposed to protect a PC could be turned against it. The company quickly issued updates that it says fixes the problem.
Not to be left out, Trend Micro's PC-Cillin Internet Security antivirus and network security software for Windows was found by security researcher VeriSign iDefense to be susceptible to a vulnerability that lets attackers escalate their user privileges, or disable protection altogether, thanks to a failure in version 12.00 build 1244 to ensure that secure permissions are applied to its application and data files. Attackers also can overwrite arbitrary binaries executed with system level privileges, which could mean a complete compromise of affected computers.
The problems that McAfee, Symantec, Trend Micro, and other antivirus companies face indicate that they're no better than any other software vendor at writing quality code, says Burton Group principal analyst Fred Cohen. But since attackers can't easily get to code in software that's distributed via a network to PC users, any exploitation would likely have to happen from inside one of these vendors, he says.
This raises questions regarding how much trust should be placed in these vendors, and in the update model they employ. It's a reactive measure to be sure, but it's also one that relies on users trusting their vendors to install software directly onto their PCs. Cohen questions, "What if someone at one of these vendors plants a Trojan horse on your system?"
Meanwhile, such vulnerabilities may make it difficult for the antivirus specialists to prove that their security software is the best available as Microsoft enters the market. "Many antivirus vendors were saying, 'Yeah, right, who's going to buy antivirus software from Microsoft when they can't keep their own products secure,'" says Gartner VP and research fellow John Pescatore. But if Microsoft's offerings are less expensive, and the antivirus vendors can't prove what they offer is of superior quality, they could lose business.
The recent events also could ignite a change in how much companies rely on the install-and-upgrade antivirus software model. The long-term solution to the antivirus epidemic is more likely to come in the form of trusted computing initiatives where digital keys, certificates, and passwords are stored on microprocessors in PCs, servers, and other hardware. "This will have a serious impact in five-to-seven years on the antivirus, antispyware, and anti-malware markets," Cohen says.
Why so long? Because the 15 million trusted clients that PC vendors have shipped so far aren't nearly enough to make an impact. "You need 100 million trusted computers," Cohen says. That won't happen until at least the next major round of PC replacements, a cycle that takes place every three-to-five years.