People deploy security software like antivirus programs to protect themselves from malicious behavior and software exploits, but these programs can be insecure as well. A recent study from security firm iViZ Security found that the number of vulnerabilities in security products released in 2012 grew at a rate of 37.3 percent over the previous three years. In particular, the company noted a high occurrence of access control and input validation weaknesses.
Nearly half of the vulnerabilities found in security products – 49 percent – were in antivirus software programs. Other products affected included firewall software and intrusion detection and protection programs. Among the vendors attacked in 2012 were companies like Symantec, Panda Security and Barracuda Networks. Additionally, vulnerabilities were found in products from vendors such as McAfee, Cisco and Symantec.
These programs offer a tempting target to attackers, as they generally have high levels of access to a large number of applications. Additionally, they are assumed to be trusted programs, researchers noted. As a result, attackers begin targeting security products by searching for weaknesses as soon as they are released. Weaknesses were defined by iViZ as any flaws that could lead to a software security vulnerability.
Protecting sensitive products
One such occurrence of vulnerabilities in a security product occurred last fall, when researcher Tavis Ormandy discovered eight previously unknown vulnerabilities in antivirus software from Sophos. Making a similar observation to the iViZ researchers, he noted that security products have an added responsibility to keep users safe.
“By design, antivirus products introduce a vast attack surface to a hostile environment,” he wrote. “The vendors of these products have a responsibility to uphold the highest secure development standards possible to minimize the potential for harm caused by their software.”
In the recent study, researchers predicted that attacks – particularly advanced persistent threats – against such products and their users will increase. Additionally, the majority of vulnerabilities found will remain undisclosed. Such trends are not only applicable to security products, however. The study suggested similar problems facing other commercial and open source applications.
“This is not just a call to action for [security] vendors,” said Dan Cornell, a principal analyst with security consultancy the Denim Group, according to TechTarget. “This is a call to action for [independent software vendors] that build software that is widely deployed.”
To meet secure development guidelines and avoid the occurrence of such product errors, organizations can use tools such as static analysis software to keep their applications vulnerability-free and avoid the likelihood of a security program introducing new threats.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.