The jury’s VERDICT
Whether you need to worry about antivirus’ inherent flaws depends on your risk profile. If you’re a potential target of state-sponsored hacking or other serious, targeted attacks, the bugs in antivirus may well present a serious risk.
But what about the rest of us? We asked resident security guru Davey Winder for his thoughts. “Remember, all software has bugs. Would I suggest you don’t use any AV software? No, of course not. Similarly, I wouldn’t suggest you reply upon any antivirus software alone to protect your networks and data. A multi-layered security posture is the way forward for most people, most of the time; and antivirus remains a valid layer within that posturing.”
The antivirus firms also seem to be stepping up their own security. They are wisely starting to offer bug bounty payments to encourage security researchers to cast a glance over their code, and while some seem to view Ormandy et al with a suspicious eye, others are happy to work with flaw finders to harden their software.
But that only addresses the coding flaws in antivirus. Where it sits makes those bugs more dangerous. Perhaps it’s time for antivirus to develop a better, safer scanning system – Sullivan points out that F-Secure doesn’t play man-in-the-middle to watch over HTTPS traffic. “We are missing one opportunity to spot some malicious code and kill it in the bud,” he admits. “But we made that call several years back that we don’t want to be in the position of being a man-in-the-middle, even if that is a trusted man-in-the-middle. You just have to work harder on the other layers you’ve got.”
Other developers ( see right) note that Chrome and Firefox both support other techniques to filter traffic, so no “man-in-the-middle” is required.
In the meantime, users are being left with something of a Hobson’s choice. “Should the antivirus products use better, more secure designs? Absolutely! There is much that needs improvement in this aspect,” Bontchev argues. “But, most importantly, what is needed is a dialogue.”
While the pursuit and publication of antivirus bugs has raised awareness of the issue, it’s key for antivirus makers and bug hunters to remember they’re working towards the same goal – keeping users safe.