Is One Researcher's Success at Finding Flaws Putting AV Future in Doubt?

By Sean Michael Kerner  |  Posted 2016-06-30 Print this article Print
security flaws

NEWS ANALYSIS: Security researcher Tavis Ormandy once again has found "many" holes in a security vendor's products—this time Symantec's antivirus tools—but that's not necessarily a bad thing.

Security researcher Tavis Ormandy has struck again. Over that course of 2016, the Google Project Zero researcher has made security vendors around the world take note of serious vulnerabilities in their own products, and his latest target is antivirus vendor Symantec.

Now, because of Ormandy's success, some industry pundits are wondering if we are seeing the end of the antivirus (AV) industry.

"[Symantec's] vulnerabilities are as bad as it gets," Ormandy wrote in a blog post on June 28, detailing the flaws.

That same day, Symantec issued a major update of its consumer and enterprise security products, fixing eight unique vulnerabilities across the Symantec technology portfolio. Impacted products included Norton Security, Norton 360, Symantec Endpoint Protection, Symantec Email Security, Symantec Protection Engine and Symantec Protection for SharePoint Servers, among a long list of others.

Symantec said it does not have any evidence that attackers have exploited in the wild any of the flaws in the affected products.

For its part, Symantec said that working with security researchers is all part of keeping customers safe.

"To ensure that our products are as effective as possible, we rely on Symantec experts and the security research community to watch for potential product vulnerabilities so we can act swiftly to remediate and issue product updates accordingly," Adam Bromwich, vice president of Security Technology and Response at Symantec, wrote in a blog post. "In this case, we were alerted by a researcher on Google's Project Zero to eight vulnerabilities he discovered after reviewing our product portfolio."

A Symantec spokesperson told eWEEK that the company is referring all inquiries about vulnerabilities reported by Google Project Zero to the blog post at this time and has nothing to add beyond the blog post.

No User Interaction Required

The eight flaws discovered by Ormandy are particularly worrisome in that they don't require any user interaction and are part of the default configuration for the impacted Symantec products.

Also of note about the flaws discovered by Ormandy is that Symantec was making use of a number of open-source code libraries, including libmspack and unrarsc. Unfortunately, Symantec had failed to update the library versions and was using versions that were out-of-date by at least seven years.

"As with all software developers, antivirus vendors have to do vulnerability management," Ormandy wrote. "This means monitoring for new releases of third party software used, watching published vulnerability announcements, and distributing updates."

The vulnerabilities in Symantec's antivirus technologies that Ormandy disclosed follow a long list of vendors that he has reported issues to this year. In February, Ormandy publicly disclosed multiple issues in antivirus technologies from Avast, Comodo and Malwarebytes.

Why the Antivirus Industry Will Survive

While some industry pundits claim that Ormandy's success is a death knell for the antivirus industry, it's important to note that Ormandy has had success in finding vulnerabilities in all manner of security technologies. On June 4, he successfully exploited next-generation security vendor Bromium. Bromium co-founder Simon Crosby credited Ormandy with finding an exploit and donated $15,000 to Amnesty International in his honor.

Certainly the flaws that Ormandy found in Bromium's product are not in the same class as those found in the products of antivirus vendors. But that's not the point; it's that vulnerabilities can and will be found in nearly any security product, and that's not necessarily a bad thing. In Ormandy's case, he responsibly discloses the flaws he finds to impacted vendors and then works with them to help understand the issues that are found.

"That rockstar pen testers can succeed says nada about the typical adversary," Crosby wrote in a Twitter post on June 29. "It just confirms that you're a rockstar."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel