Computer Crime Research Center

hack/hack34.jpg

Hackers: Cavities in Security Software

Date: June 21, 2005
Source: InformationWeek
By: Gregg Keizer

Hackers are switching targets, a research firm said Monday, as they look for new vulnerabilities. Rather than focus on operating systems, Windows in particular, they're going after the very security software that's supposed to protect PCs.


Hackers are switching targets, a research firm said Monday, as they look for new vulnerabilities. Rather than focus on operating systems, Windows in particular, they're going after the very security software that's supposed to protect PCs.

"Am I just crazy, or have there been a lot of security vulnerabilities for security companies announced?" Andrew Jaquith, a senior analyst at the Yankee Group said in describing what led him to analyze data from a public vulnerability database, ICAT.

From the beginning of 2004 to May 2005, 77 vulnerabilities affecting security products were posted to ICAT. That was a rate of increase greater than even Microsoft's Windows, which actually has showed improvement since the release last fall of Windows XP SP2.

"When considering the number of affected products rather than just the number of distinct vulnerabilities, the rate of increase was as fast as that of the industry as a whole," said Jaquith.

According to Jaquith, three factors played a part in the rise of security product problems. For one, vulnerability researchers -- who include both above-board "good guys" and underground hackers -- may have nearly depleted the supply of easily-exploited Windows vulnerabilities, and so are looking for virgin territory.

"An adolescent enthusiasm, and I think that's the right way to describe it, is what's driving a lot of this vulnerability research. They're always looking for the next thing and for recognition," said Jaquith.

Second, security products are an attractive target because nearly all enterprises have deployed them, especially anti-virus solutions. "There's low-hanging fruit in security products," said Jaquith, because the press hasn't forced security firms to acknowledge and fix problems in their code, as it has with operating system makers like Microsoft and Apple. "Flaws targeting security software stand a better chance of being successful," noted Jaquith.

That brings up what Jaquith calls the "tailgating effect," where hackers use the vulnerabilities in security software for their own purposes. "The real bad guys will put these vulnerabilities to work," said Jaquith to, for instance, slip malicious code past the defenses companies count on to protect their networks.

A third driver of the trend, he added, is the economic self-interest of security assessment vendors. Although the practice isn't illegal -- and rarely gets slammed by security firms whose products are tagged as vulnerable -- some assessment firms specialize in spotting flaws in security providers' products. The assessment firms -- eEye Digital is an example, said Jaquith -- then sell their own security analysis software, which include detection signatures for the other vendors' vulnerabilities.

One in four vulnerabilities in security products, in fact, was discovered this way during 2004 and the first half of 2005.

While Jaquith refused to label the practice as unscrupulous, he did say "In the airliner manufacturing industry, you don't see companies saying 'our airplane falls out of the air less often than our competitors.'"

Of the major security vendors whose products have been tagged with vulnerabilities, Symantec's were "disproportionally affected" according to Jaquith's examination of the ICAT database. Check Point and F-Secure also saw their numbers jump in 2004, while others, such as McAfee, showed a significant decrease.
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo