Security product flaws are magnet for attackers

The software vulnerability exploited by last week's Witty worm is only the latest in a growing list of flaws being discovered in...

The software vulnerability exploited by last week's Witty worm is only the latest in a growing list of flaws being discovered in the very products users invest in to safeguard their systems.

"This is a new realm of risk that users must confront: the security of security products," said Andrew Plato, president of Anitian Enterprise Security, a systems integration and consulting firm in the US. 

The Witty worm, which was reported to have damaged 15,000 to 20,000 computers worldwide, took advantage of a flaw involving the BlackIce and RealSecure intrusion-prevention products from Internet Security Systems.

The worm wrote random data onto the hard discs of vulnerable systems, causing the drives to fail and making it impossible for users to start up the systems. 

The flaw was the result of a buffer-overflow condition in a function used to detect peer-to-peer traffic, said Chris Rouland, director of the X-Force security team at ISS. 

The company worked "very quickly" to reduce the risk after being informed of the problem by eEye Digital Security, Rouland added. But Witty was released "almost immediately" after the fix became available and before many users had time to respond. 

Rouland noted that the number of major flaws that have been discovered in ISS products over the past five years has been limited to two - well below the industry average, he stressed, because ISS follows strong quality and code-audit processes. 

Just a few weeks earlier, a vulnerability caused by an unchecked buffer was discovered in a firewall from Zone Labs in San Francisco. Fred Felman, vice president of marketing at Zone Labs, said his company also responded quickly, so no exploits were reported. Felman added that Zone Labs follows "stringent" processes for product quality. 

In February, vulnerabilities were discovered in a firewall from Check Point Software Technologies that could have allowed attackers to modify firewall rules. 

Similarly, a critical vulnerability was discovered in an internet security product from Symantec that would have let attackers gain remote access to a compromised system. Overall, security companies average about four critical vulnerabilities each year, according to statistics from ISS. 

The trend is not a particularly comforting one, Plato said. "Users should be very worried about this. The mad dash to be 'first to market' on every feature often creates sloppy engineering." 

Security software is becoming an attractive target for attackers, said Gartner analyst John Pescatore. "If you are a hacker and you want to get some publicity, the best way to get it is to break into a security product."

Last week's Witty incident also put the spotlight on a troubling habit by some security suppliers to search for and disclose flaws in rival products as part of their competitive efforts, said Pete Lindstrom, an analyst at Spire Consulting. 

eEye, which discovered the ISS flaw, sells products that compete with those from ISS. It was also eEye that discovered the Zone Labs flaw. And ISS in the past has found problems in other suppliers' products, such as those from rival Check Point. 

"It's a fundamental conflict of interest," Lindstrom said. "Why would you even be looking at your competitors' products to begin with?" 

According to Firas Rouf, chief operating officer at eEye, his company does not specifically search for flaws in competitors' products, claiming that the discovery of the ISS flaw was the result of research being conducted on a similar product being developed by eEye. 

Rouland said ISS is interested only in finding vulnerabilities that exist in broadly used products. "We would look at a Check Point product just as we would a Microsoft product, because they are both so widely deployed."

Jaikumar Vijayan writes for Computerworld

Read more on IT strategy