By Sarah Lacy
June 17, 2005
Software meant to protect PCs are now attack targets, revealing a
rising number of flaws -- even more than those of Microsoft products
Think you're safe because your computer has the latest antivirus
program, complete with daily updates via the Web? Or maybe you figure
the firewall you have installed will stop malicious software from
reaching your machine.
Well, you may not be as secure as you think. Hackers are increasingly
finding flaws in the very programs designed to prevent attacks --
A new Yankee Group report, to be released June 20, shows the number of
vulnerabilities found in security products increasing sharply for the
third straight year -- and for the first time surpassing those found
in all Microsoft (MSFT ) products. The majority of these weaknesses
are found by researchers, academics, and security companies. Trouble
is, hackers then take those findings and use it for nefarious
SAME EXCUSE. Last year, researchers found 60 flaws in a variety of
computer-security programs, almost double the 31 vulnerabilities
discovered in 2003, according to Andrew Jaquith, a Yankee senior
analyst who culled a national database of reported software
vulnerabilities. Through May, 2005, 23 software glitches have been
counted -- already up 50% over last year. And that figure doesn't
include those yet to come this summer, when the biggest attacks are
usually launched. So far this year, researchers have only found 22
vulnerabilities in Microsoft's products.
The trend is an embarrassment for computer-security outfits who have
made billions protecting PCs from cybercrooks. And much of that work
has come from fixing, or protecting against, lapses in the security of
Microsoft products. Now, it seems, the tables may be turning. Indeed,
security concerns are offering the same reason for glitches as many
software makers: "Everyone knows there's no way to have perfect
software," says Jimmy Kuo, a research fellow with McAfee (MFE ).
Symantec (SYMC ) has had the most reported vulnerabilities, with 16
documented last year (see BW Online, 6/17/05, "A New Frontier for
Hackers?"). But so far this year, it has fared better: Through May,
only two vulnerabilities were reported.
BRAGGING RIGHTS. Still, Symantec is a target because it's the market
leader. Hackers generally want to crack programs with the largest
installed base -- thus offering the maximum impact for their exploits.
That's one of the rationales Microsoft has used to explain why its
products seem to have so many reported security glitches. But Jaquith
points out that McAfee, the second-largest security player, decreased
its vulnerabilities over the last year. "This is a leading indicator
of the relative quality of the two products," he argues.
Symantec executives declined to grant an interview. But the outfit did
issue a statement saying the report compares the products of a single
company -- Microsoft -- to the entire security industry. "This is not
an apples-to-apples comparison," the statement said. Jaquith responds
that the comparison was made because Microsoft has been hackers'
target of choice. He notes that more broadly, security vulnerabilities
grew at a pace greater than the whole software industry last year.
What's driving the increasing discovery of flaws in the very products
supposed to prevent attack? Part of it comes down to professional
bragging rights. Computer-security consultants and researchers are
always out to prove they can find vulnerabilities in software. The
idea is: Once those holes have been discovered and made public, the
businesses will move quickly to patch their programs.
Having torn through Microsoft's operating system for years, security
programs provides new opportunity for researchers. Meanwhile, many
hackers have started finding flaws in security software out of
necessity. The software has become so prevalent, it was blocking most
modes of attack.
WAKE-UP CALL. While more flaws are being found, only one has been
exploited to launch a massive attack over the Internet. The Witty
Worm, which targeted security concern Internet Security Systems' (ISSX
) software, was sent 72 hours after the vulnerability was disclosed on
Mar. 20, 2004.
A subset of ISS customers who get real-time patches over the Web were
protected, but others were not, says ISS Chief Executive Thomas
Noonan. The worm wrote over sections of infected hard drives,
rendering the machines unusable. In all, 12,000 servers were infected.
But the malicious software trashed more than hard drives: ISS's stock
dropped about 5%, to $15.98, after the worm was announced. It has
since climbed back, to close at $21.60 on June 16.
ISS has only had three vulnerabilities in its history, but Noonan
calls it a wake-up call nonetheless. "Less than 1% of our customers
were compromised, but dealing with that 1% was enormous," he says. "It
has affected a number of things we do internally." Noonan wouldn't
comment further about the attack's repercussions, as it's under a
DANGEROUS DAWNING. That should have been a wake-up call to other
companies as well. Jaquith advises vendors to ratchet up their
internal testing. Both Symantec and McAfee recently acquired
consulting firms that are experts in launching test attacks before the
software is released. "They both have the tools in-house, it's a
question of putting them to use," he says.
Vendors say they're already taking the threats seriously. Indeed, a
new reality may be dawning for the antivirus world -- code just isn't
safe anymore, no matter how good. "Software is software," says Ken
Silva, chief security officer for VeriSign (VRSN ). "I wouldn't
classify it as a failure on the part of the security industry. Hackers
are just getting a little smarter."
If the security industry is going to keep growing at double-digit
rates, it'll have to get a smarter, too.
Lacy is a BusinessWeek Online reporter in San Mateo, Calif.
Edited by Ira Sager
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.