One of the reasons enterprises rely on layers of security products is because of the flaws that often appear in their main IT infrastructure. But according to a panel of experts at the Gartner IT Security Summit in Washington, those security tools aren’t as ironclad as you think.
More than ever before, they say, some of the more dangerous vulnerabilities are appearing in the security products companies rely on to keep the bad guys at bay.
“In the last six months alone, every security vendor has had multiple exploitable conditions in their products,” said David Maynor, CTO of Errata Security.
Chris Wysopal, chief technology officer of Veracode, likened the situation to a security guard that turns on the person he’s charged with protecting.
Indeed, SearchSecurity.com has covered a number of recent flaws in security products.
Symantec Corp. recently patched a flawed ActiveX control in its Norton security products that attackers could exploit to run malware on targeted machines.
McAfee recently addressed a flaw that opened a variety of its products to denial-of-service attacks or the hijacking of entire computer systems.
And just last week, F-Secure took to its blog to report fixes for several flaws that included a buffer overflow vulnerability with LHA archive handling found in several of its products.
The fact that security products are often flawed reflects the fact that all developers are human and make mistakes, said Thomas Ptacek, a member of the team at Matasano Security and keeper of its popular Matasano Chargen blog.
“There’s no immunity for security products,” he said. “It’s a misconception that security software is inherently more secure.” Enterprises that use these products to secure proprietary information need to be aware of this and keep track of vulnerability disclosures, he added.
Ironically, Microsoft — long criticized for its buggy code — got credit for becoming a lot more aggressive in hardening its products, including the security tools it has rolled out in the last couple years.
“We worked with Microsoft on Vista, as did many security vendors,” Ptacek said. “Their code is [now] designed for security.”
Of course, since the folks at Microsoft are human, Windows admins can expect more flaws in the future.