VB2015, Prague – Computer security vendors were told it was time for them to raise their game by the editor of Virus Bulletin magazine today, as he opened proceedings at the 25th Virus Bulletin international conference.
Martijn Grooten took time away from his normal duties of thanking sponsors and introducing the schedule of proceedings for the three day technical conference, by reminding attending vendors, security researchers and software engineers that it would be a mistake to think that the software they produced was immune from its own software vulnerabilities.
The advice couldn’t be more timely, as recent revelations have found exploitable vulnerabilities of differing levels of severity in a variety of security products.
Grooten explained that although in most cases fixes from security vendors have been pushed out rapidly, some vulnerability researchers have been threatened with legal action:
“With varying motives, a number of security researchers are spending their time looking for vulnerabilities in such products. Indeed, they have found quite a few of them, which shouldn’t surprise anyone, definitely not anyone in this room. Security software is software after all.”
“The response from vendors has generally been to patch quickly – though in some cases the response has been a bit less pleasant and involved lawyers. I would like to urge all security vendors to appreciate the work of these researchers, to embrace their efforts and to work with them to ensure vulnerabilities are patched.”
It was a hard message for some attendees to hear, aware that – in some cases – vulnerability researchers had been un-cooperative, or had released details of how security holes could be exploited before there had been a chance to update users.
Grooten’s message? “Tough”.
“Yes, I know some of these researchers can appear like professional trolls. Yes, the media loves these stories and their reports tend of overstate the risk of exploitation and ignore how quickly the vulnerabilities are patched. Tough. That’s what happens to other software vendors too – so just bite the bullet.”
“Security vendors should be an example of how to do security right and that includes working with researchers who hunt for vulnerabilities and also being open that such vulnerabilities exist in the first place.”
The good news is that security software such as anti-virus product are already engineered with regular, rapid updates in mind. So whenever a problem is found it shouldn’t be beyond the means of any able company to push out a fix within a reasonable amount of time.
That’s important because, of course, security software running on your computers and servers is the potential attack surface that malicious hackers might be targeting with their campaigns.
A mail-scanning product, for instance, opens every file attachment that is sent into a company – and if a boobytrapped file is able to exploit a vulnerability in the scanner and gains write-access to a system that it should never have been given access to, that’s an enormously powerful opportunity for a criminal gang to wreak havoc.
Security software, in its various forms, is probably being run on more computers than – say – Adobe Flash, PDF Reader or even Internet Explorer, all of which are typically on the receiving end of blame for being buggy.
So the security software itself has become an enticing target for attackers, and the need for it to be properly secured and not prone to potentially devastating exploitation.
The truth is that all of us, whether security vendors or not, has a responsibility to vet the code we produce, and nobody should blindly trust that anyone’s software is bug free.
Perhaps, with that in mind, more companies in the computer security industry should consider Martijn Grooten’s final plea – that it should be easy and attractive for vulnerability researchers to report bugs to companies:
“Do consider setting up a bug bounty programme. Or, if that doesn’t work for you, at least make it as easy as possible for someone to report vulnerabilities. Because it could happen that one day, a vulnerability in a security product is exploited widely – and that wouldn’t just be bad for the affected users. It would be bad for the security community as a whole.”
It will certainly be interesting to return to the VB conference next year, and see just how many security vendors have made steps to creating a bug bounty, and which have found themselves suffering because they have not found a way of making third-party vulnerability researchers feel like they are part of their team.
This article was originally published on the HEAT Security blog.
