A few weeks ago, the Spanish antivirus vendor Panda had to deal with a serious problem: there was a buffer-overflow error within its antivirus library. Had a criminal hacker been able to exploit this vulnerability, the cracker could have taken over vulnerable machines using Panda Antivirus. Fortunately, Panda quickly patched the flaw, but a situation like this nonetheless raises the question: how safe are our security apps? And why haven't we heard more about security app flaws until now?
Are antivirus apps secure?
All software has flaws; there's no way to rule that out. But for years, security researchers didn't bother to investigate the most obvious of all software targets: security apps themselves. Then, earlier this year, we began to hear about flaws in Symantec Norton AntiVirus and McAfee VirusScan. The muckraker leading these disclosures is Alex Wheeler, a security researcher formerly of Internet Security Systems (ISS), a security consulting firm, and now of rem0te.com, an independent research site. Back in June, Wheeler, along with Neel Mehta, also of ISS, gave a talk at CanSecWest on insecurity within antivirus apps; they reprised that talk a month later at the Black Hat Briefings in Las Vegas.
By the time CanSecWest, the annual Canadian security conference, rolled around, Wheeler had already made a name for himself by exposing problems in Norton AntiVirus, McAfee VirusScan, F-Secure Internet Security, and Trend Micro. Some vulnerabilities were quite rare: McAfee VirusScan, for instance, produced a buffer overflow, but only when processing LHA compacted files on Linux.
|F-Secure welcomed Wheeler's research and worked with him to update and improve its software. Other vendors--which Wheeler declined to name--where harder to convince.|
Most of the vulnerabilities found by Wheeler have been of the dreaded buffer overflow variety. This is where a programmer leaves space for some data input, and if the data exceeds the space allowed, in some cases the larger input data can overwrite existing programming. It's not easy to do this, but when it is possible, crackers can gain control of a vulnerable PC. So it's kind of ironic that your antivirus software may offer an attacker entry to your "secured" PC.
After CanSecWest, Wheeler left ISS and, on his own, continued to look for holes within antivirus software. In June, he found a buffer-overflow flaw within Computer Associates. In July, Sophos admitted a buffer-overflow flaw in its antivirus protection. By October, Wheeler had found a flaw within Kaspersky Antivirus. And in November, he found the buffer-overflow flaw within Panda.
Why do such a thing?
At Black Hat USA, I had a chance to sit down with Wheeler, who confessed that not all antivirus vendors were happy to hear about his research. One, F-Secure welcomed Wheeler's research and worked with him to update and improve its software. Other vendors--which Wheeler declined to name--where harder to convince. Some antivirus vendors issued a new signature file to their customers as a remedy for the software flaw. Wheeler says that won't work. The vendors need to upgrade the software itself, not the antivirus database. Not all of the vendors he's contacted have done that, preferring to wait until their next release.
Commercial software isn't alone
Wheeler didn't just look at big-name antivirus software, he even tackled ClamAV, the open-source antivirus project from which many "free" antivirus apps are based. He said there, too, the programmers were able to fix the problem, but it wasn't done quickly (in the case of open source, the programmers volunteer). And given that it is open source, the fixes haven't all been assimilated to all the implementations that have been derived from the ClamAV code.
|Eugene Kaspersky recently wrote an interesting self-examination and concluded that modern antivirus protection isn't all that it's cracked up to be.|
Using the process of reverse engineering, Wheeler found that many of the antivirus apps are organised in a similar fashion. This isn't to say that programmers copy each other's code, but there appears to be a set logic in how files are examined by different antivirus scanners. A common problem Wheeler sees is that an antivirus scanner will unpack a compressed file down to a certain level, then make a decision as to whether the file is malicious. Should a cracker decide to compress the virus file even further, a malicious file might get through an antivirus scan. Also, as new types of malicious code hit the Internet, the antivirus vendors seem content to merely add another scanner to the package. This overall lack of integration might explain some of the serious performance drags we're starting to notice in this year's antivirus software offerings.
Kaspersky's mea culpa
Don't take my word for it. Or Wheeler's. None other than antivirus searcher Eugene Kaspersky recently wrote an interesting self-examination and concluded that modern antivirus protection isn't all that it's cracked up to be. Kaspersky also commented on antivirus certifications, such as the Virus Bulletin 100% Award, saying that its testing methodologies are not without flaws and therefore should not be seen as an accurate indicator of an antivirus app's ability to perform reliably in the future. I'm surprised Kaspersky's comments haven't spurred more discussion--or maybe there's tacit approval from others in the antivirus industry.
So, should you throw out your antivirus software? No, I'm not saying that. I am only saying don't be surprised when you read a headline stating that such-and-such antivirus software has a security flaw within it. It's software; it's not perfect. The real question is whether the vendor will fix the flaw--and will do so properly. So far, the antivirus community has (if begrudgingly) fixed its flaws. Microsoft, on the other hand, has some outstanding security flaws in Internet Explorer that are approaching three years and counting. I'm amazed the software giant can get away with that, but then again, people don't often think of security as Microsoft's greatest strength.
Are you surprised (maybe even outraged) that antivirus apps also have security flaws? Why or why not? Talk back to me.