The vulnerabilities in antivirus software make the programs as much a threat, as a help, to corporate network security, two German security experts argued in a presentation released last week.
The researchers -- Sergio Alvarez and Thierry Zoller, both of German security firm N.runs -- have taken antivirus companies to task for a large number of vulnerabilities the two discovered in how virus scanners parse potentially malicious files. While antivirus software is a typical piece of companies' defense-in-depth strategy, security holes in the software could allow an attacker to bypass other defenses, the pair argued.
"Current AV DiD (antivirus defense-in-depth) implementations define 'the worst possible way' an antivirus product may fail as 'Fails to detect a threat' or 'Fails to detect a virus,' whereas in reality the worst possible way is a more severe one: Compromise of the underlying OS (operating system) through the antivirus engine," Alvarez and Zoller stated in the presentation posted (PDF) last week, but delivered last month at the Hack.lu conference in Luxembourg.
Over the last two years, security researchers have found a large number of vulnerabilities in antivirus software. In 2004, the Witty worm showed just how devastating such a flaw could be. The worm spread using a flaw in intrusion detection software made by Internet Security Systems, now part of IBM.
Alvarez and Zoller found more than 80 parsing vulnerabilities in various antivirus products. The duo apparently see the software flaws as a market opportunity: N.runs plans to release a product to protect against antivirus parsing vulnerabilities, and the contact information at the end of the presentation includes the e-mail address of the company's director of software sales.
Symantec, the maker of antivirus programs for consumers and companies, is the owner of SecurityFocus.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos