Hackers Finding Flaws In Security Software

"Am I just crazy, or have there been a lot of security vulnerabilities for security companies announced?" Andrew Jaquith, a senior analyst at the Yankee Group said in describing what led him to analyze data from a public vulnerability database, ICAT.

From the beginning of 2004 to May 2005, 77 vulnerabilities affecting security products were posted to ICAT. That was a rate of increase greater than even Microsoft's Windows, which actually has showed improvement since the release last fall of Windows XP SP2.

"When considering the number of affected products rather than just the number of distinct vulnerabilities, the rate of increase was as fast as that of the industry as a whole," said Jaquith.

According to Jaquith, three factors played a part in the rise of security product problems. For one, vulnerability researchers -- who include both above-board "good guys" and underground hackers -- may have nearly depleted the supply of easily-exploited Windows vulnerabilities, and so are looking for virgin territory.

"An adolescent enthusiasm, and I think that's the right way to describe it, is what's driving a lot of this vulnerability research. They're always looking for the next thing and for recognition," said Jaquith.

Second, security products are an attractive target because nearly all enterprises have deployed them, especially anti-virus solutions. "There's low-hanging fruit in security products," said Jaquith, because the press hasn't forced security firms to acknowledge and fix problems in their code, as it has with operating system makers like Microsoft and Apple. "Flaws targeting security software stand a better chance of being successful," noted Jaquith.

That brings up what Jaquith calls the "tailgating effect," where hackers use the vulnerabilities in security software for their own purposes. "The real bad guys will put these vulnerabilities to work," said Jaquith to, for instance, slip malicious code past the defenses companies count on to protect their networks.

A third driver of the trend, he added, is the economic self-interest of security assessment vendors. Although the practice isn't illegal -- and rarely gets slammed by security firms whose products are tagged as vulnerable -- some assessment firms specialize in spotting flaws in security providers' products. The assessment firms -- eEye Digital is an example, said Jaquith -- then sell their own security analysis software, which include detection signatures for the other vendors' vulnerabilities.

One in four vulnerabilities in security products, in fact, was discovered this way during 2004 and the first half of 2005.

While Jaquith refused to label the practice as unscrupulous, he did say "In the airliner manufacturing industry, you don't see companies saying 'our airplane falls out of the air less often than our competitors.'"

Of the major security vendors whose products have been tagged with vulnerabilities, Symantec's were "disproportionally affected" according to Jaquith's examination of the ICAT database. Check Point and F-Secure also saw their numbers jump in 2004, while others, such as McAfee, showed a significant decrease.

Disclosed vulnerabilities don't always lead to a worm or other exploit, but Jaquith noted that some researchers insist on publicly releasing proof-of-concept code, which makes a hacker's job all that much easier.

"These are like unprocessed uranium," he said. "Malicious parties can transform them easily into munitions."

So far, only one security product vulnerability -- in products from Internet Security Systems (ISS) -- has resulted in a major worm outbreak. In early 2004, the Witty worm snuck through ISS firewalls, and reportedly infected tens of thousands of PCs worldwide.

"Not coincidentally, ISS tightened up its security processes and decreased its share of vulnerabilities last year relative to 2003," said Jaquith. "The Witty worm should have been a wake-up call to the security vendors. It wasn't.

"We should be sounding the alarm," Jaquith urged. "We should be telling the security vendors, 'We know there's not a big problem at the moment, but we want to make you're aware of it.'"

And working on it.

While all users should be pushing security vendors to put more emphasis on coding secure products -- so they use some of the same techniques that operating system makers now employ, such as regular security design reviews and reviews of the code base for security issues -- one of the best times to pressure them is when contracts come up for renewal.

Jaquith recommended that enterprises ask their preferred security vendors to detail how they develop in a secure fashion, and how they fix and patch problems.

Another way to mitigate possible exploits is to take a page out of operating system analysts' books. "One potential strategy is to diversify security vendors," he said.

"In the end, though, what we really need to do is push security vendors toward interoperability. They need to open up their APIs and their management consoles," he said, so that a heterogeneous security environment is actually practical.