Vulnerabilities in security software leave users open to attacks

In most people’s minds, antivirus and security software equals better security. But thanks to security researchers who have taken it upon themselves to analyze some of those offerings, we are discovering that that belief is not necessarily true.

AV and security software is not immune to exploitable bugs, and can provide a way into a target’s system. What’s more, the fact that this type of software has to have privileged access to the system in order to work as it is supposed is an added boon for would-be attackers.

Earlier this month we reported about vulnerabilities found in Kaspersky, FireEye, Avira and Webroot security software. The discovered zero-days in Kaspersky’s solutions were the work of Google security researcher Tavis Ormandy, who’s infamous for releasing vulnerability information to the public in order to spur developers into fixing them quickly.

Ormandy, who has in the past analyzed Sophos’ and ESET’s security solutions for bugs, uses Google’s compute horsepower to perform some quality fuzz testing of the target software.

“As well as fuzzing, I’ve been auditing and reviewing the design, resulting in identifying multiple major flaws that Kaspersky are actively working on resolving. These issues affect everything from network intrusion detection, ssl interception and file scanning to browser integration and local privilege escalation,” he noted in a blog post.

“We have strong evidence that an active black market trade in antivirus exploits exists. Research shows that it’s an easily accessible attack surface that dramatically increases exposure to targeted attacks,” Ormandy pointed out. “For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software.”

All in all, he’s pretty satisfied with Kaspersky’s “record breaking response times” to his releases, and has shared with them details about a slew of other critical bugs and design flaws he found in the company’s Antivirus and Internet Security solutions. Most of these problems could result in a complete compromise of users’ system.

Still, the fact that vulnerabilities in security software exist is not a reason for users to stop using it, as it’s unlikely that they will be exploited by generic malware wielded by your garden-variety cyber crook. This is the type of bugs that are more interesting to attackers that aim for specific targets, after they discovered what type of software they use.

In the end, he advised developers of antivirus unpackers, emulators and parsers to implement a sandbox in order to minimize the damage attackers can effect.

“The chromium sandbox is open source and used in multiple major products,” he pointed out. “Don’t wait for the network worm that targets your product, or for targeted attacks against your users, add sandboxing to your development roadmap today.”