Feeds

Internet security suites fail to block exploits

Tests expose 'chocolate teapot' shortcomings

Intelligent flash storage arrays

Internet security suites do little to protect users against exploits, according to security notification firm Secunia.

The Danish security notification firm is urging a root and branch rethink on how security suites are designed, moving away from "ineffective signature-based detection" to a smarter form of defence.

However, an anti-virus expert whose firm's products were not involved in the tests said Secunia's approach only tested against one aspect of how security suites protect consumers, and were therefore potentially misleading.

Secunia tested 12 suites (which typically bundle firewall, anti-malware and anti-spam functions) against a range of 300 exploits targeting vulnerabilities in various high-profile programs.

Even though it blocked only 64 out of 300 exploits, Symantec's Norton Internet Security 2009 came out best from the test, detecting almost ten times more exploits than its nearest competitor. Security suites from the likes of Kaspersky, Check Point, Microsoft, AVG and McAfee all flopped.

Security product bundles are marketed as comprehensive Internet Security Suites, leaving the impression that the user is fully protected against internet threats. Secunia's tests suggest the products fail to do what they say on the tin. Symantec has recently begun introducing behaviour-based detection, which helps to explain why its software did the best of a bad bunch.

Thomas Kristensen, chief technology officer at Secunia, said that the shortcomings of security suites combined with the fact users rarely keep systems fully patched made a recipe for trouble.

"While we did suspect that the popular security vendors would score quite poorly in detecting exploits, the extremely low detection rate took us by surprise and this really begs the question: Does the customer get their money's worth?"

Computer users therefore need to keep up to date with patches in order to have any hope of withstand hacking attacks. Secunia's free Personal Software Inspector (PSI)* and the similar functionality within Kaspersky Internet Security 2009 make it easier to keep up to date with patching.

Graham Cluley, senior technology consultant at Sophos, which focuses on the corporate market and did not take part in the tests, agreed that applying patches was important. "There's no such thing as a perfect security suite, but security software reduces threats and people shouldn't come away from these tests with the conclusion that they these products are ineffective."

Cluley added that the tested problems might do better in real world conditions rather than in the lab because of run time protection. Security products commonly scan files before they are run as well as monitoring what they are doing once they begin running. That means that although Word files harbouring 0day exploits, for example, may make it past scanners they might be prevented from running.

"They [Secunia] haven't actually "run" these exploits on the computer - so it's not really a "real-life" test of how well these security suites would perform," Cluley explained. "It sounds like only one aspect of the suites was tested, rather than all of the ways in which they might have been able to protect the users."

Secunia said its tests illustrated the shortcomings of signature-based security suites. Generic detection of exploits would be a better approach because what triggers a vulnerability (unlike the payload of an attack) doesn't alter, Kristensen pointed out.

"Even with a very rapid creation of payload-based signatures, all their customers are still left exposed for a considerable amount of time from the point when the criminals start distributing their new payload until it has been 'caught', analysed, a signature has been created, the signature has undergone quality assurance testing, the signature is published, and finally downloaded and activated by the security software," Kristensen said.

"Determining the characteristics of a vulnerability is somewhat more complicated and takes longer than than creating a payload based signature, however, it need only be created once," he continued. "Often the security vendors can finish their analysis and create a signature in the same time as the criminals can develop an exploit and start their criminal attacks."

Cluley argued that this criticism was misplaced, as security firms all moved away from signature-based detection years ago. He said modern security suites made far greater use of generic and behaviour-based detection as a way of dealing with the growing volume of malware-sample production.

A full round-up of the exploits and vulnerabilities used in the tests and a rundown of results can be found here (pdf). ®</p

Intelligent flash storage arrays

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.