The Insecurity of Security Software

H316 writes "BusinessWeek is reporting that, despite a number of software products meant to safeguard Windows PCs from harm, a rising number of them endanger their hosts because of poor design and flaws. From the article: 'A new Yankee Group report, to be released June 20, shows the number of vulnerabilities found in security products increasing sharply for the third straight year -- and for the first time surpassing those found in all Microsoft products.'"

Meta-patches

[moz25]

Next thing you know, not only the OS and the programs that mitigate/stop the harm which patches protect needs patches, but also the program that does the patching.

On the plus side, the patch cycle is probably a lot shorter with the security products and automated patching is less of an issue than with the OS itself, which is much more complicated and requires a ton more testing.

Verisign

[tehshen]

"Software is software," says Ken Silva, chief security officer for VeriSign. "I wouldn't classify it as a failure on the part of the security industry. Hackers are just getting a little smarter."

If hackers (crackers?) are getting smarter, and the security industry isn't catching up with them, then I'd say it's definitely the industry's fault.

Re:McAfee and Symantec are out there to make money

[Raul654]

I'm reminded of the Chris Rock sketch where he talks about doctors finding cures for diseases. He asks when was the last time you heard about doctors finding a cure for a disease. It's been a long time. Why? Because there isn't any money in the cure.

Just moves the goalposts of 'Trust'

Instead of fixing the underlying problem most 'security software' (at least at the desktop users end of things) is a patch which restricts, inhibits or breaks some 'weak' feature of the code beneath it. Adding further layers of complexity only increases the chances of creating further holes with the added danger that users feel protected and hence don't pay attention to simple day to day good security practices.

As time goes by I am becoming fascinated by the whole 'security software industry'. It doesn't take a leap of tin foil hat conspiracy theory to get to wonder whether large companies with a vested interest in there being malware in the environment, and who admittedly employ virus writers, might not be playing with an entirely straight bat when it comes to ethics. I wonder if someday soon we will see 'proof' of this in some form when it becomes apparent that a 'security' company had apriori knowledge (ie they wrote it) of a nasty virus which then went on to cause a lot of damage out there. Holes in their software comes as no suprise. In fact when you use a security product you are handing over huge amounts of trust to the writers. Do I trust Symantec et al. No way, for one I haven't seen their source.

Re:Just moves the goalposts of 'Trust'

[slavemowgli]

Here's some food for thought with regard to anti-virus companies possibly being responsible for (some) viri.

If you look at the computer viri there were in the last 20 or 25 years, there's of course many trends, but one in particular stands out: there has been a huge shift from destructive to non-destructive viri. Remember things like Michelangelo, Stoned and so on? Many of these were actually doing damage - they'd delete your harddisk on certain dates, or overwrite files on access, or other such things.

However, things have changed: these days, at least 99% of all viri, worms, trojans and other malware seem to be content to simply reproduce as much as possible instead of carrying an actually destructive payload. Some might be used to send spam, perform (distributed) DoS attacks and the like and thus cause economic damage, true; but the individual users' boxes are typically unaffected (except for slowdowns and similar things).

Why did this happen? One might argue that the reason is simply that virus writers don't want to bite off the hand that distributes them anymore, or that dead zombies are useless for launching attacks against third parties. But it could also conceivably be an indication that it's different people who write viri these days, with different motivations, different limits, and different morals. And the idea that (some) anti-virus companies are secretly helping out with the creation of new malware doesn't seem so far-fetched anymore when you take into account that with a non-destructive worm, it's much easier to convince yourself that you're not doing *real* damage - especially if there's also the prospect of making money, which probably already has weakened your morals.

Walk through Best Buy

[suitepotato]

See how many anti-spyware, anti-virus, anti-malware apps there are on sale there, with names you've likely never ever heard of. People who cannot even write semi-reliable shareware are now writing these things, and people like gullible fools are buying them.

On the other side, you have companies like Symantec and McAfee whose best written and supported products have been known to totally hose business PCs at the drop of a hat. Secure? I don't trust them to run correctly, never mind actually do what they were installed for.

None of this is very new, most of it seems obvious, and it is truly sad that it so many will read this and think it a groundbreaking notice instead of an afterthought by the IT world which it is. The horses are out of the barn, and now people are realizing that they got out because the tried using screen doors to hold them in, and they will predictably go look for spline and a tool to put more screening in.

Re:For secure applications, don't use a PC.

[A+beautiful+mind]

"Combined with the fact that most script kiddie crackers, and even some of the more seasoned pros, lack basic VMS knowledge, you're looking at very reliable systems from a security standpoint."

Security by obscurity, security nontheless. But, as some wise man once said something like this: you can increase a system's security right down to unusability. Security only makes sense when you gain from using it. Personally i do not see the point using vms as a webserver, when you could run it for example on openbsd, which would probably decrease security a bit, but improve your productivity a lot. I'm sorry, the DCL-hating person speaks from me. ;)

Re:Insecure

[Reaperducer]

It's official. The cure for Windows is worse than the disease.

Sounds like a Soviet Russia joke waiting to happen.

Imagine telling someone you don't run Norton/McAffee/etc... because it's not secure. Now you have to switch to Linux/OS X for both a more secure operating system, and more secure applications.

Re:it wasn't supposed to be like this!

[64nDh1]

In my experience Norton Antivirus ignores default browsers and uses Internet Explorer when you ask it to take you to the instructions for manual virus removal.

Norton Antivirus, despite regular updates by LiveUpdate, does not give full scans in that it does not find certain very frikkin' major trojans on any Windows system. The Shinwow virus that still resides on my XP system is a case in point, as is the Java byte exploit which allowed another user on the system to accidentally have it put there by some scurrilous website,

On Mac Norton Antivirus lost a lot of respect, and a lot of Mac users will just tell you that AV is for suckers anyway, but Norton pissed off people when their existing disk utilities (Speed Disk, Disk Doctor I think) which handled drive optimization was not Panther compatible. Certain people (those running the 10.2 Norton on Panther 10.3) lost complete functionality on their hard drives ("churning" is how I saw it described) requiring formatting with (AFAIK) no chance of file recovery. Same goes with using Norton 9 on Tiger - don't.

When using Norton Antivirus year on year the 'upgrades' mean that your boot time, and logon times increase. See my first point that this does not mean that you are more protected as at least one older known trojan is still undetected by a full system scan.

If you enable Program Launch Monitoring then Norton will tell you about absolutely every little thing that accesses the internet. This is a good thing, but from what I can see, they've taken out the damn option to "Don't show me this bullshit again, of course Firefox is going online!" and it keeps happening.

Just earlier today, I let Norton integrate itself into my Dad's mail client, Outlook Express, then I got 5 warnings that NORTON was being called by another program, and accessing the internet. This isn't even the veil of a false sense of protection. I increasingly think this junk is being coded by morons. Compared to each other, EZ Armour, eTrust Antivirus whatever it's called runs a scan faster, finds more, and I trust it more. It's not any worse to boot speeds. And while 'the devil you know is better than the devil you don't' I'm looking to return to some sort of honeymoon period so that you don't feel cheated and abused for spending on a program which you need due to stupid security holes and ignorant malicious script kiddies.

My antivirus experience is getting so bad, and so resource intensive, that I have taken to schooling every member of my family who use the computer and who will listen, and I am showing them how everything can be done as promptly on SuSE 9.1 Pro in KDE with Firefox and KMail. This switch is nothing to do with Windows frustrations which are relatively minor, this is just to do with lugubrious boot times and all those lost proc cycles.