Tis The Season For Security Software

By Larry Seltzer  |  Posted 2005-12-23 Print this article Print

Opinion: Still looking for a last-second gift? I might have just the thing for you.

There was a time, it must have been at least five years ago, when we would tell users (at least unofficially) that if you were running an old version of an antivirus program with no update subscription, you were better off than with nothing, In fact, you would still block almost all of the threats you were likely to encounter. How wrong that advice is now! Its hardly the first time its happened, but Symantec confirmed independent reports of a serious vulnerability in their products. The flaw, which lies in the scanning of .RAR files, exists in a wide variety of consumer and enterprise products and amounts to the most dangerous and scary kind of vulnerability: All that need happen is that someone send you an e-mail, the Symantec product will scan it and be compromised.

There isnt an exploit circulating yet, at least not publicly, and now were in a race: If the exploit precedes the fix we have a big problem. If the fix precedes the exploit, things are different, but still problematic. Enterprise customers will be set up to update themselves for the patch, but consumer versions of Symantec products dont typically auto-update for software fixes, just for signature updates. For a patch, you need to run the LiveUpdate program manually. Perhaps this has changed in the 2006 versions; well know soon.

There was a similar report from Symantec in early October: a buffer overflow vulnerability in Symantecs AntiVirus "Web Service Administrative Interface" allowed remote exploitation. Fortunately, it appears that only enterprise products were affected.

Other vendors, unsurprisingly, have similar issues in their products. For example, there has been an allegation in the last few days by a researcher of an exploitable vulnerability in the McAfee Security Center. The originality and impact of this specific advisory has been disputed on the Full-Disclosure list. I think we havent seen the last of that one.

And just a couple weeks ago a series of vulnerabilities were revealed in Trend Micro products, including their consumer PC-Cillin program, and updated. One announced vulnerability allowed an attacker to escalate privileges or disable protection. The others focused on server protection products, although those are where Trends real market impact is.

Of course researchers, like everyone else in the security business, focus on the big players and Ive just listed the "Big 3" in the security business. There are a surprising number of smaller players in anti-virus and other security fields, even in the consumer markets. Consider this report on a vulnerability in F-Secure products very similar to the Symantec report. But I never heard anything about attacks based on that vulnerability, and its not hard to see why.

Just as some people buy Macintoshes in order to avoid Windows vulnerabilities, it might make sense to buy a "little guy" security program in order to fly under the radar of the vulnerability researchers. Even if the program has just as many vulnerabilities, known and unknown, as the big boys, you still throw a monkey wrench in the works of any attacker.

Thats one approach you can take, but whatever you do, running an old antivirus program with no access to updates is not the approach to take. Obviously times have changed in terms of the velocity of new threats, and people with old AV are susceptible to these. But when vulnerabilities show up in the AV products themselves they amount to a big "Exploit Me" sign on the Internet.

In fact, are you still looking for a last-second gift for someone? If they dont have AV or their subscription has lapsed, go buy them a new one with a new subscription. You can do it online any time, even on Christmas day, youll be doing them a big fat favor, and youll get to spend time with them, or at least with their computer. (Boy do I know how that feels!)

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel