May 30, 2019 By Mark Stone 3 min read

In April, Microsoft released a Windows update that wreaked havoc for anyone with antivirus (AV) software from several developers, including Avast, Avira, ArcaBit, McAfee and Sophos. The Microsoft update reported that some users might experience “slow or unresponsive” machines after the reboot. One AV software vendor even noted that after the update, login times might be prolonged, and in some cases users may be prevented from logging in altogether.

While this may be nothing more than a nuisance from a technical standpoint, from the big-picture perspective, it doesn’t help the perception of most enterprise users that security software only gets in the way of getting things done. Ultimately, if incidents like this persist — and they likely will — our level of threat protection may plummet.

When I read this story, several questions came to mind: What can be done to ensure this doesn’t happen again? How should IT departments react? With whom does the responsibility lie? Is this even a cause for concern?

Complexity Is the Enemy of Security

I reached out to Josh Mayfield, director of security strategy for Absolute, to help answer these questions and provide insight into why this issue is symbolic of a larger-scale problem for the cybersecurity industry. He told me that what kept running through his mind was the notion that complexity is the enemy of security.

“This will happen again because the system has become overly complex,” he said. “There are so many different dependencies, so many intervening links, and many don’t play by the same rulebook.”

When AV software programs are designed independently, it is only natural that there is competition for resources in the zero-sum field in which they are playing. “What’s so critical is that the operating system update will trump all of them,” Mayfield said. “If the update is problematic, there’s no way Microsoft can account for everything out there. When the update comes out, everyone is going to do it. It’s a very complex tangle, and it only exacerbates the problem. Complexity is driving that failure.”

Play (and Test) in the Sandbox

While many cybersecurity threats are preventable, this specific conundrum can complicate matters for IT teams, who will have to install the update. The best way forward could be to deploy sandboxing.

“It doesn’t have to be extraneous; even using 1-5 percent proportion of all your other resources,” Mayfield suggests. “I would encourage people to not only sandbox things and create an environment that mirrors your real environment, but let it run a little bit. There could be initial dormant processes that only awaken after the device is used in a real-world context and representative of your device population.”

Unfortunately, for many organizations the sandboxing process doesn’t last long enough to identify all of the downstream effects of specific resources accurately. And since systems are likely to be compromised on this scale in the future, it appears that we may only see positive change if all players in the cybersecurity industry take more responsibility. However, most industry analysts will agree that, at least in this particular circumstance, Microsoft has ownership of the problem.

Finding a Long-Term Solution for IT Complexity

Where does the responsibility to safeguard the industry lie? For Mayfield, the principle of buyer beware has a key role to play.

“Make sure you’re not going to do something that will harm your IT environment,” he said. “But on the industry side, who is going to own this?”

A lot of culpability falls to the general community of AV software vendors for their myopic thinking. And with so many vulnerabilities out there to patch, this story may only serve as yet another example of IT complexity wreaking havoc until the industry takes action.

“Who is responsible is usually the last one to touch it, and in some cases, it’s the AV agents,” Mayfield said. “We keep adding and adding, and then we wonder why we are in the Gordian knot. But it’s a knot we tied ourselves. The security industry can benefit from an industry that is less self-centered, so things don’t break as often.”

One long-term solution could be increased regulation for cybersecurity products. This will likely introduce some of its own complexities, but in the long run, the safeguards could spare more serious concerns down the road. “We already have regulations for encryption, so why can’t we do this for other protective tools that define the minimum requirements for cyber products?” Mayfield asks.

It’s a great question — and perhaps new regulations could provide some key answers for the whole industry around cybersecurity.

More from Application Security

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

7 min read - Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments. During my research, I decided to try and discover vulnerabilities in software that I had pre-installed on my laptop, which resulted in the discovery of this vulnerability. In this article, I…

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today