Antivirus Software Could Make Your Company More Vulnerable

itwbennett writes: Since June, researchers have found and reported several dozen serious flaws in antivirus products from vendors such as Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes. Many of those vulnerabilities would have allowed attackers to remotely execute malicious code on computers, to abuse the functionality of the antivirus products themselves, to gain higher privileges on compromised systems and even to defeat the anti-exploitation defenses of third-party applications. And evidence suggests that attacks against antivirus products are both possible and likely. Some researchers believe that such attacks have already occurred, even though antivirus vendors might not be aware of them because of the very small number of victims. Among the emails leaked last year from Italian surveillance firm Hacking Team there is a document with exploits offered for sale by an outfit called Vulnerabilities Brokerage International. The document lists various privilege escalation, information disclosure and detection bypassing exploits for multiple antivirus products, and also a remote code execution exploit for ESET NOD32 Antivirus with the status 'sold.'

Re:Not quite AV, but close

[Dutch+Gun]

I'll half agree with you... I think I know what you're getting at, but I think it's worth clarifying a bit. After all, it's not like any arbitrary code on a machine is vulnerable to random attacks from the internet.

Rather than talking about simplicity - because let's face it, that will never happen - we need to focus on minimizing and hardening the attack surface. For instance, if my personal machine sits behind a router, arbitrary incoming traffic from the internet is blocked. Anything that isn't blocked then has to make it past my personal machine's built-in firewall, which would tend to reject most anything else. Thus, it's likely that 99.999 percent of the code on my machine (any modern OS is *horribly* complex by nature) is completely immune to random internet-based attacks, at least ignoring user actions like launching an infected program or script.

A good example of minimizing attack surface is Amazon's recent release of a very tiny TLS library called s2n. With only 6000 lines of code, it's *much* easier to vet and declare secure than the feature rich but dangerously bloated OpenSSL library, which may put servers at risk with features they never used. Even the name (signal to noise) indicates the intent, which is to keep the library tiny and focused. We're discovering that there's a danger to letting code grow infinitely large and complex, and not depreciating it, because even if those old features work, they still may contain security issues. I'd be extremely surprised if s2n had any serious security flaws in its implementation simply due to its small size - there's just not as much that can go wrong there.