"I think the problem is that antivirus vendors have rarely adopted the principle of least privilege, refers to limiting privilege to the highest-risk portions of software functionality so that if something goes wrong the whole system isn't necessarily compromised," Ormandy says. He says many of these programs are insecure by design.
#Norton antivirus y seguridad code#
“It doesn’t matter if it’s just an old code base that you wrote or you acquired, you can’t let your security process remain stagnant.”īut Ormandy says the problems with security software go beyond merely lapses in coding and code review. “Once new testing tools come out that security researchers use and attackers use, you have to start using those tools too,” he says. But Wysopal says now that such techniques are available, companies should use them to review old code.
In some cases the security software in question may be legacy code written years ago when fuzzing and other modern techniques for uncovering vulnerabilities weren’t used. “But a lot of these issues could have been found with automated fuzzing, and it’s not clear why those weren’t found. “Sometimes you look at a bug and there’s no way an automated tool could have found this someone would have to really pore over code intensely ,” says Wysopal. But the security firms Ormandy has exposed don’t appear to have fuzzed their code to uncover flaws. Fuzzing, for example, is an automated technique used by both security researchers and attackers to find vulnerabilities in software. “If you have to use a riskier language, that would mean you’re going to have to spend more time on testing and code review to get it right,” he says. Those restrictions and complications shouldn't let security firms off the hook, Wysopal says. Security software also performs complex parsing of files and other operations, which can make writing it more difficult and more prone to error. Companies use them because the security software has to interact with operating systems that are written in the same languages. Much of it, Wysopal notes, is written in C and C++-programming languages that are more prone to common vulnerabilities like buffer overflows and integer overflows. “Security software companies aren’t getting specially trained developers that know about good coding better at preventing buffer overflows than your average engineer.”Īnother issue is the language in which security software is written. “There’s this assumption that if you work at a security software company, you must know a lot about security, and it’s just not true,” he says. Wysopal, whose company performs static analysis of software code to uncover vulnerabilities, attributes the lapses to security firms hiring developers that have no special training in writing secure code. That still doesn’t explain why the security firms who put out the flawed products Ormandy exposed haven’t given their products more scrutiny themselves. "So, it's entirely possible to be a competent malware analyst without understanding secure development."
"I think the set of skills needed to understand vulnerabilities is entirely different than the skills and training necessary to analyze malware-even though they're both considered security disciplines," he told WIRED. Most security professionals employed by companies reverse-engineer malware, not dig through code for vulnerabilities. Ormandy says it's more likely a matter of skill sets. Essentially, a core component Symantec uses to detect malware could be used by intruders to aid their assault. So the vulnerability would let attackers subvert the unpacker to take control of a victim’s machine. The flaw exists in an unpacker Symantec uses to examine compressed executable files it thinks might be malicious. the victim does not need to open the file or interact with it in anyway,” Ormandy wrote in a blog post Tuesday, further noting that such an attack could "easily compromise an entire enterprise fleet." Just by “emailing a file to a victim or sending them a link to an exploit. One particularly devastating flaw could be exploited with a worm. But others are far more serious, and would allow an attacker to gain remote-code execution on a machine, a hacker’s dream. Some of Symantec’s flaws are basic, and should have been caught by the company during code development and review. The worst thing about Symantec’s woes? They’re just the latest in a long string of serious vulnerabilities uncovered in security software. That’s 17 Symantec enterprise products in all, and eight Norton consumer and small-business products. This week, Google security researcher Tavis Ormandy announced that he’d found numerous critical vulnerabilities in Symantec’s entire suite of anti-virus products.
0 kommentar(er)
