The case AGAINST antivirus

PC & Tech Authority - - FEATURE -

There are two main com­plaints against antivirus: it’s rid­dled with bugs and the way it’s de­signed gets in the way of other soft­ware mea­sures. Let’s start with the first. Head over to Google’s Project Zero ( bugs.chromium. org/p/project-zero) and search for antivirus un­der “all is­sues” – you’ll find a long list of re­ported bugs from a host of ven­dors. You’ll also quickly no­tice that the vast ma­jor­ity of re­ports are filed by one Tavis Or­mandy, Google’s bel­liger­ent and per­sis­tent se­cu­rity re­searcher.

The in­fa­mous bug hunter and antivirus critic last sum­mer un­cov­ered flaws in Sy­man­tec prod­ucts that he said were “as bad as it gets”, and has also dug out bugs in Kasper­sky, McAfee, Trend Mi­cro and Sophos. In a state­ment to PC&TA, Sy­man­tec said that it “con­tin­u­ally im­proves the pro­tec­tion de­liv­ered by our prod­ucts with reg­u­lar up­dates” and that it works not only with its own ex­perts but in­de­pen­dent se­cu­rity re­searchers.

How­ever, Or­mandy isn’t alone in dis­cov­er­ing cav­i­ties in the soft­ware that’s meant to be pro­tect­ing us. Jox­ean Koret, a re­searcher at Sin­ga­porean se­cu­rity firm COSEINC, spent a year pok­ing holes in antivirus, find­ing dozens of vul­ner­a­bil­i­ties largely in soft­ware us­ing C/C++. In his pre­sen­ta­tion, he uses lan­guage saucier than this magazine can print to sug­gest that antivirus com­pa­nies don’t care about se­cu­rity in their own prod­ucts, and won­ders “why is it harder to ex­ploit browsers than se­cu­rity prod­ucts?”

Mean­while, a re­port from Flex­era Soft­ware at the end of last year re­vealed that 11 of the 46 pieces of soft­ware on • its rank­ings of most vul­ner­a­bil­i­ties were ac­tu­ally se­cu­rity prod­ucts.

Nat­u­rally, it’s not only white hats who are search­ing for holes in antivirus. The tranche of 8,000 pages of doc­u­ments about the CIA’s hack­ing skills pub­lished by Wik­iLeaks re­vealed the Amer­i­can spies have an un­flat­ter­ing opin­ion of antivirus. Co­modo was de­scribed as be­ing a “colos­sal pain in the pos­te­rior” for spies to get

around, but an older ver­sion of its antivirus has a “gap­ing hole of doom”. A now-patched flaw in Kasper­sky al­lowed spies to by­pass all pro­tec­tions, and one CIA hacker crowed about a “to­tally sweet” bug in AVG.

“Antivirus is a tech­nol­ogy that should be used with ex­treme cau­tion,” said Craig Young, se­cu­rity re­searcher at Trip­wire. “In re­cent years, ev­i­dence has been pil­ing up to show that weak­nesses in vir­tu­ally ev­ery antivirus prod­uct avail­able could ac­tu­ally ex­pose end users • to more se­ri­ous risks than the viruses they are pro­tect­ing against.”

Those flaws are all the more danger­ous be­cause of the way most antivirus soft­ware oc­cu­pies an el­e­vated po­si­tion, and be­cause it uses in­va­sive tech­niques to sniff out at­tack­ers. Nor­mally, mal­ware must trick users into click­ing a link, open­ing a doc­u­ment or run­ning an ex­e­cutable, Young notes.

That means “weak­nesses in the antivirus pro­gram can be ex­ploited with­out any user in­ter­ac­tion,” he ex­plains. “If an ad­ver­sary knows what kind of antivirus a tar­get is us­ing and can iden­tify a vul­ner­a­bil­ity in that prod­uct, gain­ing com­plete con­trol of the re­mote sys­tems can sim­ply be a mat­ter of send­ing an email, even if the email is never opened.”

Robert O’Cal­la­han worked at Fire­fox-de­vel­oper Mozilla for 16 years and, when he left the com­pany, he took a part­ing shot at se­cu­rity soft­ware devel­op­ers with an in­flam­ma­tory post on his blog ( tinyurl.com/ ho­j­duc4), ti­tled “Dis­able your antivirus soft­ware (ex­cept Mi­crosoft’s)”. He said that antivirus “prod­ucts poi­son the soft­ware ecosys­tem be­cause their in­va­sive and poorly im­ple­mented code makes it dif­fi­cult for browser ven­dors and other devel­op­ers to im­prove their own se­cu­rity”.

O’Cal­la­han’s own ex­am­ple came when he was work­ing on Fire­fox for Win­dows to im­ple­ment ad­dress space lay­out ran­domi­sa­tion (ASLR), which pro­tects against a type of at­tack called “buf­fer over­flow” by ran­domis­ing where ex­e­cuta­bles are loaded into me­mory. O’Cal­la­han said “many antivirus ven­dors broke it by in­ject­ing their own ASLR-dis­abling DLLs into our pro­cesses.

“Sev­eral times antivirus soft­ware blocked Fire­fox up­dates, mak­ing it im­pos­si­ble for users to re­ceive im­por­tant se­cu­rity fixes,” he con­tin­ued. “Ma­jor amounts of de­vel­oper time are soaked up deal­ing with antivirus-in­duced break­age, time that could be spent mak­ing ac­tual im­prove­ments in se­cu­rity.”

An­other con­cern is how most antivirus sits be­tween your browser and the web, cre­at­ing the pos­si­bil­ity for a man-in-themid­dle at­tack. To see en­crypted traf­fic and check it’s not ma­li­cious, the soft­ware in­ter­cepts it – some­times by de­fault, other times with user per­mis­sion – cre­at­ing its own se­cure Trans­port Layer Se­cu­rity (TLS) con­nec­tion to do the work of the web browser by check­ing cer­tifi­cates. In other words, there­fore, antivirus breaks ex­ist­ing browser se­cu­rity sys­tems to use a hack­ing tech­nique against its own cus­tomers.

Antivirus is a tech­nol­ogy that should be used with cau­tion

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.