The verdict jury’s
On the other hand, standard malware is easy to find and easy to exploit. “Clearly, commodity malware presents a much greater risk than extremely sophisticated attackers using a hypothetical bug in your antivirus software,” Bontchev argues. “I can think of only one or two cases when malware leveraged a bug in some antivirus product to attack computers,” he said. “Compare that with a million-perday cases of ‘normal’, commodity malware attacking millions of people around the globe. Clearly, using antivirus software for protection against at least the malware it can detect and stop by far outweighs the risk of hypothetical unpatched bugs in said antivirus software.”
F-Secure security advisor Sean Sullivan agrees. “For the last decade, it’s not been high-skilled, high-motivated attackers that we’ve been dealing with,” he said, adding that researchers such as Ormandy appear to be trying to protect victims from targeted, specialised attacks.
He’s also critical of the way researchers often publish such flaws if they’re not fixed within a defined period of time. “I don’t know that that’s the best utilitarian choice in terms of harm and the amount of harm it might cause,” he said. “Because when they disclose something like that, they are potentially giving cyber criminals… a free gift.”
Bontchev agrees that antivirus design too often uses “design that is not the best from a security point of view,” but, once again, “while the complaints are correct, the conclusion is completely wrong”. To Bontchev, there is good reason to meddle with HTTPS, for example, as plenty of malware uses such encrypted channels for communication. “If you don’t break the encryption, you can see which site the user is trying to visit (more exactly, its IP address) but not which particular link (URL, page) on this site,” he argues. “Sometimes malware is stopped because the user is attempting to access a ‘known bad’ URL. If you can’t get the URL, you can’t stop it.”
Time for another risk assessment. “What presents a greater risk: attackers trying to break your encryption when you’re visiting sites, or commodity malware that would infect your machine?” Bontchev asks. “While the former isn’t harmless — it can lead to the attacker capturing your passwords — it is rare; practically unheard of, except when professional spy agencies are involved. The latter, commodity malware, happens every damn day to millions of people.”
Standard
malware is easy to find and easy to exploit
Whether you need to worry about antivirus’ inherent flaws depends on your risk profile. If you’re a potential target of state-sponsored hacking or other serious, targeted attacks, the bugs in antivirus may well present a serious risk.
But what about the rest of us? We asked resident security guru Davey Winder for his thoughts. “Remember, all software has bugs. Would I suggest you don’t use any AV software? No, of course not. Similarly, I wouldn’t suggest you reply upon any antivirus software alone to protect your networks and data. A multilayered security posture is the way forward for most people, most of the time; and antivirus remains a valid layer within that posturing.”
The antivirus firms also seem to be stepping up their own security. They are wisely starting to offer bug bounty payments to encourage security researchers to cast a glance over their code, and while some seem to view Ormandy et al with a suspicious eye, others are happy to work with flaw finders to harden their software.
But that only addresses the coding flaws in antivirus. Where it sits makes those bugs more dangerous. Perhaps it’s time for antivirus to develop a better, safer scanning system – Sullivan points out that F-Secure doesn’t play man-in-the-middle to watch over HTTPS traffic. “We are missing one opportunity to spot some malicious code and kill it in the bud,” he admits. “But we made that call several years back that we don’t want to be in the position of being a man-in-the-middle, even if that is a trusted man-inthe-middle. You just have to work harder on the other layers you’ve got.”
Other developers ( see right) note that Chrome and Firefox both support other techniques to filter traffic, so no “man-in-the-middle” is required.
In the meantime, users are being left with something of a Hobson’s choice. “Should the antivirus products use better, more secure designs? Absolutely! There is much that needs improvement in this aspect,” Bontchev argues. “But, most importantly, what is needed is a dialogue.”
While the pursuit and publication of antivirus bugs has raised awareness of the issue, it’s key for antivirus makers and bug hunters to remember they’re working towards the same goal – keeping users safe.