2. Products are riddled with holes
There's something unnerving about having to patch your security product on a regular basis. And with the recent wave of security vulnerabilities reported for security tools such as those of AV giants McAfee and Symantec, some users are wondering whether it's only a matter of time until security vendors have their own monthly patch day like Microsoft's.
It goes with the territory: Symantec, McAfee, and Cisco are big-time and, therefore, big targets, too. Cisco last week made the unusual move of reporting vulnerabilities found in its VPN and firewall product. (See Cisco Reports New Vulnerabilities.) "The hunters are becoming the hunted," says Allwyn Sequeira, vice president of engineering and operations for Blue Lane.
Security tools have always had holes. Think of the Cisco routers in the late 1980s and early versions of antivirus scanning for MS-DOS, says Nate Lawson, engineering director for Cryptography Research. The difference now is attackers in general are moving up the stack and finding more creative ways to get inside, by poking holes in security software.
Part of the problem is that security code is complicated and, therefore, prone to vulnerabilities, says Thomas Ptacek, a researcher with Matasano Security. "I'm concerned that security products are harder to build and most security companies don't get [more sophisticated] developers."
McAfee and Symantec seem to have the most holes among AV tools, says Marc Maiffret, CTO and chief hacking officer for eEye Digital Security, whose researchers have discovered holes in McAfee and Symantec products over the past few months.
Meanwhile, hackers are increasingly poking around and finding new holes in IDS/IPSes, too. (See IDS/IPS: Too Many Holes?) Black Hat researchers earlier this month showed just how easy it is to slip by IPS/IDSes, even with very old and well-known exploits. A French researcher did so with a tool he built and a slightly repackaged Blaster worm99905, for instance.
Security tools are becoming an attacker's welcome mat, and they're getting walked all over in some cases. "In the last six months, one of the easiest ways to own desktops in America is through security software," says Maiffret.
How can you stay secure when your security products (gulp) aren't?
The good news is security tools still do more good than harm. "As with any software, you're always going to have vulnerabilities," Maiffret says. "You might have a couple of bugs a year in your AV client, but that's two bugs versus the 100,000 viruses it defended you against."
