case you haven't heard, in the last week or so a bunch of security
software has been found to be vulnerable to attack. First EWeek reported
that a new trojan was targeting Microsoft's AntiSpyware Beta. Sophos
reports that the trojan includes a keylogger and attempts to steal
credit card details, turn off other anti-virus applications, delete
files, install other malicious code and download code from the
Internet. All the ugly stuff you wouldn't want to have happen.
Then it was found that a major flaw exists
in most Symantec products offering high-risk vulnerability and warned
that a successful exploit could lead to code execution attacks.
Then most recently ISS found
that F-Secure Anti-Virus, F-Secure Internet Gatekeeper and F-Secure
Internet Security are vulnerable to a buffer overflow, caused by
improper bounds checking when handling ARJ archives.
Look, vulnerabilities are inevitable. They will happen in software, including security software. Security software != secure software,
and you need to remember that. On top of that, I don't think its fair
to assume that just because flaws are detected that you should assume
the product doesn't do what it says it does.
When I look at how Symantec handled its issue, I was initially
frustrated with the fact they had a vulnerability in something they
were not even using anymore. But that quickly turned around to respect
as their response to the problem was to simply remove it… one of the
4 things you can do when you find a threat like this. (If you don't
know what I am talking about… you need to get the Microsoft Press
book on Threat Modelling)
FSecure was quick to fix their problem, and they should be credited
for that as well. In fact I was impressed with how quickly they came
out with the fix. If anything, my only disappointment would be in the
fact they were not more transparent in how they dealt with it. One of
my favorite blogs is the FSecure Blog.
Although its written by staff in their lab… I notice they had no
problem commenting on flaws in Microsoft products… but not their own.
I have come to enjoy and respect their feed and would have expected
them to be more open about their own issue through their blog once they
released the fix. Instead they simply released an advisory and left it at that.
All and all, no software is immune to attack. How resilient it is in
the face of those attacks is a different matter. And I think these guys
did a good job in handling it. Of course trojans that turn off spyware
are much harder to defend against… which is why you should be running
with least privilege in a method to reduce the attack surface potential
of such hostile code… eliminating the ability to copy such malicious
intent to system directories.
But thats just me.
[Dana Epp's ramblings at the Sanctuary]