This week, Tavis Ormandy of Google’s Project Zero security research team disclosed a major vulnerability in security products by Symantec (and their consumer-targeted Norton brand) which arguably make users of these products less secure than they would be without an antivirus program at all.
This vulnerability is particularly bad—exploiting the vulnerability requires no user interaction. The vulnerability exists in a default configuration, and code execution occurs at the highest privilege level, if not the kernel itself. According to Ormandy, open source libraries used in the products such as libmspack and unrarsrc had not been updated “in at least 7 years.”
This problem is not, itself, an aberration, and is not limited to Symantec. Security software necessarily requires high access privileges to operate effectively, though when it is itself insecure or otherwise malfunctioning, it becomes a much higher liability due to the extent to which it has control over the system. These software issues, combined with logistical and political problems in the antivirus industry itself, are making users less secure.
Purely programmatic problems
In March, a mishap in free and paid enterprise versions of Panda Antivirus flagged core program files as malware, in turn prompting the removal of files from System32, leaving computers inoperable if rebooted. Affected systems often lost their networking capabilities, leading to the helpful response from Panda to not reboot systems as they deployed an update to fix the issue…over the network.
A variety of issues have been identified in Comodo Antivirus this year, again from the work of Tavis Ormandy and team. Among these was the bundled program “GeekBuddy” which installs and starts a poorly protected VNC server. This disclosure is actually the “fixed” version of this program, as disclosures made in 2015 noted that the VNC server had no password at all.
On the topic of passwords, Ormandy discovered a vulnerability in Trend Micro Antivirus in which the bundled password manager launches a local web server that listens for API commands from the internet, without a whitelist or same origin policy—effectively allowing remote code execution. In a message to Trend Micro, Ormandy stated that “Anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction. I really hope the gravity of this is clear to you, because I’m astonished about this.”
In December 2015, users of AVG products had the “AVG Web TuneUp” Chrome extension forced upon them, in an labyrinthine and indirect installation process apparently aimed at bypassing malware checks in the Chrome extension API, for the purpose of modifying search settings and the new tab page. In an email sent to AVG about the vulnerability, Ormandy said: “I’m really not thrilled about this trash being installed for Chrome users. The extension is so badly broken that I’m not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it’s a PuP.”
Concerning corporate conduct
At the 25th RSA conference in March—and in the middle of the disclosure of the aforementioned vulnerabilities—a self-aggrandizing press release was released applauding Comodo for receiving the “Excellence in Information Security Testing Award” from ICSA Labs (itself a division of Verizon). The criteria which ICSA uses in their assessment (PDF) is ridiculously simplistic—among other things, programs must be able to “detect malware on-demand” and “log the results of malware detection attempts,” which astute TechRepublic readers will recognize as attributes that practically any antivirus program would have.
Relatedly, Comodo’s CEO recently embarked on a bizarre tirade over the Let’s Encrypt project, claiming that Comodo “invented the 90 day free SSL.” The company briefly attempted to register “Let’s Encrypt” as their own trademark, despite the name being used by the nonprofit Internet Security Research Group since 2014.
SEE: Download: Securing Windows policy (Tech Pro Research)
What to do?
There is not an easy answer to this question. Microsoft’s antivirus tools have improved dramatically since they were introduced in 2009, and should be sufficient for most people using computers responsibly—in other words, not participating in file sharing or downloading every email attachment they get.
The status quo for paid security products, however, is absolutely lacking. With this in mind, it is well overdue to roll up your sleeves, cross your arms, and get serious about desktop security.