More vendors join the list of insecure security products

Insecure security products. A contradictio in terminis but they do exist. Adding products to secure your environment actually adds new attack vectors. This reminds me of a presentation on CCCamp day two:

• Antivirus (In)Security: Bugs in Antivirus Software by Sergio 'shadown' Alvarez

Some myths:

• Anti-virus software is secure and makes your network and servers safe
  
• Anti-virus software is developed by security experts
• With Anti-virus software, I cannot get infected

The facts:

• Anti-virus software does have bugs
  
• Anti-virus software is made by normal programmers just as any software
• Anti-virus detection: not all packers are detected, old viruses tend not to get detected, someone has to suffer first

Some of the more common problems are:

• Communication protocols sometimes work as security by obscurity (not good)
  
• Hardcoded passwords have been seen hardcoded in binaries
• Unproper password handling: password of administrator console sometimes stored on the client side config file
• Client listeners sometimes have standard security issues (fuzzing). This means very bad input handling.
• They don't implement all filetype features
• They don't always know to handle big files (>2GB)

You can now add Trend Micro, Check Point Zone Labs and ClamAV to the list of vendors with insecure security products. If you want to sell security, begin with a SDL for your software.

The three vendors have all acknowledged various security vulnerabilities in a range of desktop and server products that could lead to arbitrary code execution, privilege escalation or denial-of-service conditions.

Defense discovered about a remotely exploitable buffer overflow in Trend Micro Inc.’s SSAPI Engine that could allow attackers to execute arbitrary code with system level privileges.

The latest black-eye for security vendors has also affected Check Point Zone Labs. From an iDefense alert:

Local exploitation of an insecure permission vulnerability in multiple Check Point Zone Labs products allows attackers to escalate privileges or disable protection.

The vulnerability specifically exists in the default file Access Control List (ACL) settings that are applied during installation. When an administrator installs any of the Zone Labs ZoneAlarm tools, the default ACL allows any user to modify the installed files. Some of the programs run as system services. This allows a user to simply replace an installed ZoneAlarm file with their own code that will later be executed with system-level privileges.

Exploitation allows local attackers to escalate privileges to the system level. It is also possible to use this vulnerability to simply disable protection by moving all of the executable files so that they cannot start on a reboot.

ClamAV has also struggled with security problems that could lead to sudden denial-of-service crashes. Secunia rates the ClamAV issues as “moderately critical.”

In the beginning of this month, also Symantec patched a severe security vulnerability in their Norton AntiVirus, Norton Internet Security, and Norton System Works products.

So keep your software up-to-date, especially your security products.

UPDATE (23/08/2007): There is currently active scanning underway to exploit the TrendMicro vulnerability.