Light Dark
January 21, 2016 By Rick M Robinson 3 min read
Software Vulnerabilities

It sounds like a plot hook for a sci-fi thriller: Attackers take over security safeguards and then use the compromised guardians to break into facilities and engage in theft, sabotage or both. But according to some security researchers, this isn’t just a fictional Hollywood scenario. Popular antivirus software used by thousands of enterprises and millions of individual users is potentially vulnerable to attack.

Because these attacks take control of software intended for security protection, the attackers can bypass other protective measures, covering their tracks. They can even use the security tools to do further damage such as infecting other systems. Unlike many threat vectors, these attacks do not depend on end user shortcomings.

Antivirus Software Draws Intelligence Agency Interest

The good news, according to Lucian Constantin at InfoWorld, is that there is no direct evidence — so far — that antivirus solutions have been used in attacks. If such attacks have taken place, they were small in scale and avoided detection. But security researchers warned that such strikes are possible.

Both the U.S. National Security Agency (NSA) and British intelligence agencies are known to have examined popular commercial antivirus software packages to look for ways they could break into systems protected by these packages, The Intercept reported. It stands to reason that other international intelligence agencies, some with reputed ties to cybercrime groups, are also actively examining antivirus software for potential vulnerabilities.

The major cybersecurity firms that market these tools are well aware of the potential risks to and from their products. “Attacks on security researchers and security vendors could be a future trend in information security,” Vyacheslav Zakorzhevsky of Kaspersky Lab told InfoWorld. “However, we do not believe these will be widespread attacks.”

Sed Quis Custodiet Ipsos Custodes?

But who will guard the guards themselves? As this Latin proverb suggests, the security challenges of safeguarding protective systems are not new. In fact, they are inherent in the nature of security measures.

Security guards need passkeys, which means that one way for the bad guys to get hold of those keys is to steal them from a guard. In the same way, security software needs to have access to high-level permissions. In fact, most of the familiar Hollywood tricks for getting past the guards have their cyber equivalents, from simply taking out a guard (disabling the software) to dressing up in a guard uniform and issuing fake instructions (abusing the software’s system permissions).

This basic challenge is inherent to antivirus protections; because this software must examine a wide variety of incoming data and file types, and have multiple internal security components, the solutions have a large attack surface. They can be attacked in many ways at many points.

Protecting Against Attacks

Some security researchers questioned whether the whole idea of security based on endpoint protection, which is what antivirus software provides, is obsolete in the modern world of richly interconnected systems. Others may claim that much security software development is flawed because tools are not adequately sandboxed, or protected against unwanted outside interactions.

But it is not clear that sandboxing is practical for complex security packages. They might end up with so much self-protection that it would grind everything to a halt, making them unusable.

Other security researchers argued that antivirus software is just one layer of protection and perhaps more important to individuals and small businesses than to enterprises that have the resources — including human resources — to deploy other types of protective measures. For nearly all users, installing software updates and patches is the single most important security measure.

The fact is that antivirus software is indeed one layer of protection, not a complete security solution in itself. The security risks it poses are not peculiar to those tools but are inherent in any security system powerful enough to protect you. Effective security comes from being proactive, building in multiple levels of protection from the ground up and taking nothing for granted.

 |  |  | 
Rick M Robinson

More from Software Vulnerabilities
September 26, 2024

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

June 6, 2024

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature