Symantec’s Vulnerabilities Expose Antivirus Industry’s Security Gaps
This month Symantec Corporation began the first round of layoffs as what they call “Project Ascent” gets underway. Ascent is nothing more than cutting costs – beginning with some of it’s labor force. The unlucky first-rounders will be only the first of what they announced as 1700 employees to get kicked out the door. However, it seems Symantec has more problems this week than bad PR from disgruntled ex-employees.
This week, Google security researcher Tavis Ormandy announced that he’d found numerous critical vulnerabilities in Symantec’s entire suite of anti-virus products. That’s 17 Symantec enterprise products in all, and eight Norton consumer and small-business products. The worst thing about Symantec’s woes? They’re just the latest in a long string of serious vulnerabilities uncovered in security software.
Some of Symantec’s flaws are basic, and should have been caught by the company during code development and review. But others are far more serious, and would allow an attacker to gain remote-code execution on a machine, a hacker’s dream. One particularly devastating flaw could be exploited with a worm. Just by “emailing a file to a victim or sending them a link to an exploit … the victim does not need to open the file or interact with it in anyway,” Ormandy wrote in a blog post Tuesday, further noting that such an attack could “easily compromise an entire enterprise fleet.”
It gets worse. The flaw exists in an unpacker Symantec uses to examine compressed executable files it thinks might be malicious. So the vulnerability would let attackers subvert the unpacker to take control of a victim’s machine. Essentially, a core component Symantec uses to detect malware could be used by intruders to aid their assault.
“These vulnerabilities are as bad as it gets,” Ormandy wrote. He would know. Ormandy has previously discovered serious flaws in products belonging to a string of high-profile security shops like FireEye, Kaspersky Lab, McAfee, Sophos, and Trend Micro. In some cases, the flaws only allowed an attacker to bypass antivirus scanners or undermine the integrity of detection systems. But in others, like this Symantec scenario, they turned the security software into an attack vector for intruders to seize control of a victim’s system.
This isn’t the way it’s supposed to be. Security software tasked with protecting our critical systems and data shouldn’t also be the biggest vulnerability and liability present in those systems. Ormandy has criticized the antivirus industry for years for failing to secure its own software, and for failing to open their code to security professionals to audit for vulnerabilities.
It’s a serious problem, though it’s unclear how actively hackers exploit these vulnerabilities. “[W]e don’t have perfect visibility into what attackers are doing,” Ormandy wrote in an email to WIRED. “We do have good evidence that antivirus exploits are bought and sold on the black and grey markets, but we rarely find out what the buyers use them for.”
Computing’s Soft Underbelly
Security software is an ideal target for attackers because it’s trusted code that operates with high levels of privilege on machines, giving attackers a great advantage if they can subvert it. In many cases, the same software can be running on every desktop or laptop machine on an organization’s network, exposing a large attack surface to compromise if the software contains vulnerabilities. And that’s just antivirus code. Other security software, such as intrusion detection systems and firewalls, are even juicier targets, says Chris Wysopal, CTO of Veracode. They’re in a prime spot on an organization’s network, connecting to a lot of important machines, and accessing most of the data traffic that crosses it.
Because of this, Wysopal says that security vendors should be held to a higher standard than the makers of other software. Yet aside from Ormandy, few security researchers have examined these systems for vulnerabilities. They’ve focused instead on finding vulnerabilities in operating system software and applications, while ignoring the software that purports to keep us secure.
Wysopal suggests security researchers may overlook security software because they’re too close to the problem. Many in this line of work are employed by other security firms, he says, “and they’re not going to attack their own. Maybe it doesn’t look good for a Symantec researcher to be publishing a flaw in McAfee.”
Read more on Wired.com!