News
News
12/22/2005
05:14 PM
Connect Directly
RSS
E-Mail
50%
50%

Symantec, McAfee Problems May Lead To Sea Change In Antivirus Industry

Doubt is mounting about the antivirus industry's install-and-upgrade model, and Microsoft is preparing to enter the market. Combine that with vulnerabilities in popular antivirus software, and the market is ripe for a shift.

Is there nothing sacred in the world of IT security? For years, McAfee Inc., Symantec Corp., and other antivirus software makers have helped companies keep their systems free of worms, Trojans, and other prickly pieces of code that can wreak havoc. Now these very same PC guardians are exposed for selling products that also are vulnerable to malicious attacks.

Vulnerabilities found recently in McAfee, Symantec, and Trend Micro software could let hackers compromise and even control computers running certain versions of their products. While most antivirus software is distributed via a network download, making it difficult for a hacker to get to the code, these flaws further highlight the problems with the antivirus industry's traditionally reactive approach to protection, and even could open the door a little wider for Microsoft's push into this market.

Symantec earlier this week revealed that its antivirus library is prone to multiple heap-based buffer overflow vulnerabilities, which attackers could exploit to compromise computers running applications that use these libraries for virus protection. The problem affects various releases of Symantec Norton SystemWorks, Symantec Norton Internet Security, Symantec Norton AntiVirus, Symantec Gateway Security, Brightmail Anti-Spam, and Symantec Client Security.

Security researcher Alex Wheeler was the first to report this most recent Symantec vulnerability, just as he did in February when, as a member of rival Internet Security Systems' X-Force research group, he discovered a vulnerability in the antivirus library that affected Symantec's Brightmail AntiSpam, AntiVirus Corporate Edition, and other products. That vulnerability threatened to let attackers exploit the library's DEC2EXE module, part of the scanning engine that's able to peek into Ultimate Packer for eXecutables, compressed executable files, and likewise create a heap-based buffer overflow problem.

As Symantec was scrambling to create a fix to its latest security flaw, competitor McAfee this week issued an alert saying that various versions of its VirusScan software were prone to an arbitrary file overwrite vulnerability that could let attackers create and modify arbitrary files. Attackers could exploit a flaw that exists within a data link library used by McAfee products to write data to the victimized PC. In other words, the very software that was supposed to protect a PC could be turned against it. The company quickly issued updates that it says fixes the problem.

Not to be left out, Trend Micro's PC-Cillin Internet Security antivirus and network security software for Windows was found by security researcher VeriSign iDefense to be susceptible to a vulnerability that lets attackers escalate their user privileges, or disable protection altogether, thanks to a failure in version 12.00 build 1244 to ensure that secure permissions are applied to its application and data files. Attackers also can overwrite arbitrary binaries executed with system level privileges, which could mean a complete compromise of affected computers.

The problems that McAfee, Symantec, Trend Micro, and other antivirus companies face indicate that they're no better than any other software vendor at writing quality code, says Burton Group principal analyst Fred Cohen. But since attackers can't easily get to code in software that's distributed via a network to PC users, any exploitation would likely have to happen from inside one of these vendors, he says.

This raises questions regarding how much trust should be placed in these vendors, and in the update model they employ. It's a reactive measure to be sure, but it's also one that relies on users trusting their vendors to install software directly onto their PCs. Cohen questions, "What if someone at one of these vendors plants a Trojan horse on your system?"

Meanwhile, such vulnerabilities may make it difficult for the antivirus specialists to prove that their security software is the best available as Microsoft enters the market. "Many antivirus vendors were saying, 'Yeah, right, who's going to buy antivirus software from Microsoft when they can't keep their own products secure,'" says Gartner VP and research fellow John Pescatore. But if Microsoft's offerings are less expensive, and the antivirus vendors can't prove what they offer is of superior quality, they could lose business.

The recent events also could ignite a change in how much companies rely on the install-and-upgrade antivirus software model. The long-term solution to the antivirus epidemic is more likely to come in the form of trusted computing initiatives where digital keys, certificates, and passwords are stored on microprocessors in PCs, servers, and other hardware. "This will have a serious impact in five-to-seven years on the antivirus, antispyware, and anti-malware markets," Cohen says.

Why so long? Because the 15 million trusted clients that PC vendors have shipped so far aren't nearly enough to make an impact. "You need 100 million trusted computers," Cohen says. That won't happen until at least the next major round of PC replacements, a cycle that takes place every three-to-five years.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.