Anti-virus software is not only the most important protection against pests from the Internet, it could also one of the most dangerous gateways for attackers and malicious software is. For it not only runs on any desktop system, but also on many servers and handled constantly with potentially malicious files. A security issue at this point can thus have disastrous consequences.
In a lecture at the 2007 Hack.lu criticized Sergio Alvarez and Thierry Zoller inadequate safety precautions particularly in anti-virus software. know, the two security specialists from morons what they are talking, they have in 2007 alone some 30 security notes for partially critical security problems in AV software published and circulated claims to about 800 problems to manufacturers.
The central problem see Alvarez and Zoller is that security software is considered in many minds virtually by definition be safe. This is what the manufacturers and users of AV software; the worst danger is that a product provides a virus. The larger, that anti-virus software itself is a gateway that can most completely ignore. Thus, hardly a firm guard against an attack scenario taken from the example assumes a pest of vulnerability in the antivirus scanner to the mail server complains Zoller. Andreas Marx of AV-Test confirms: “The subject of security of its products’ seems hardly a manufacturer to really take it seriously.”
That the problem is real, proven by the endless list of critical security problems that have been discovered in recent years in anti-virus software. Many of them actually made it possible to inject and execute code such as by a malicious e-mail.
A weak point is its variety of formats, an AV scanner to examine and evaluate. It is often very old code is used, which then even after becoming aware of vulnerabilities is not revised. Best example: A few weeks ago Stefan Kanthak discovered that the scanner from Bit Defender zlib library began which dates back from 1998 and also contained a critical flaw that the exploit code could inject him.
Or the manufacturers are responding to new technologies and work, for example, with hot needle “just” quickly “an unzip program for a just emerged EXE Packer. The developers are under extreme time pressure, for extensive testing since not much time left. And what comes out then, one can easily imagine.
The list of manufacturers of antivirus software with critical security problems reads like a who’s who of the industry: the hit list of Zoller and Alvarez are among other Avast, Avira, Bit Defender, CA, ClamAV, Eset NOD32, F-Secure, Grisoft AVG, Norman, Panda and Sophos. In Kaspersky’s scanner in McAfee’s Virus Scan and Trend Micro’s security products critical buffer overflow iDefense discovered in Symantec Mail Security , it was Secunia and Microsoft’s security products caught the ISS / IBM XForce. Everything in this year and the list is by no means complete: but the moron’s specialists indicate more than 80 critical vulnerabilities discovered and passed on to the producers continue to have. Were closed to their knowledge of it so far only about 30
The majority of such problems, the manufacturer of the automatic update feature iron out quietly, without making much fuss about it. Thus Marx confirmed to heist Security that he and his team have reported this year alone about thirty buffer overflows in AV products to their manufacturers. At no one there had been an official advisory.
One end of the critical vulnerabilities is still a long way in sight. Thus, the security services provider eEye and the Zero Day Initiative nor the dozen critical gaps in security vendors in the queue. This means that exist for these vulnerabilities already working exploits. Alvarez and Zoller also speak of the tip of an iceberg, and predict that the situation in the near term worse rather than better.
There is no quick and easy solution. Although administrators might try to isolate the problem to stove on servers in that they run virus scanners with minimal rights in the most restricted environment. But reached on web pages, downloads and e-mails of potential malicious code, the desktop systems, where that is not readily possible. Morons will soon jump to a new technique called Parsing Safe into the breach; the date is not much more than the name known.
A fundamental solution can only begin the long term, and requires that start the manufacturers of security software to measure their products against the standards that are in other areas of safety concern long taken for granted. This will include specific risk analysis and secure development techniques are also code reviews and penetration tests for example with fizzing.
“Probably, it would entail the most AV Scan Engines restructure and complete re-write” is the sobering conclusion of Andreas Marx. The programs are now grown and grown and only in part to build on approaches and routines that were developed before 5, 10 or 15 years. There are always new things added, the big break has not been made.
Zoller and Marx agree that basically only a Secure Software Development Life Cycle such problems in the world could provide the long term. But the AV vendors have reported still huge growth rates, and thus no reason for drastic changes. Key to the client holds in his hand. Could, his next buying decision not only on price and make detection rate, but also on whether the software has gone through such a secure development life cycle.
Very interesting topic, thanks for posting.