Feeds

Internet security suites fail to block exploits

Tests expose 'chocolate teapot' shortcomings

The Essential Guide to IT Transformation

Internet security suites do little to protect users against exploits, according to security notification firm Secunia.

The Danish security notification firm is urging a root and branch rethink on how security suites are designed, moving away from "ineffective signature-based detection" to a smarter form of defence.

However, an anti-virus expert whose firm's products were not involved in the tests said Secunia's approach only tested against one aspect of how security suites protect consumers, and were therefore potentially misleading.

Secunia tested 12 suites (which typically bundle firewall, anti-malware and anti-spam functions) against a range of 300 exploits targeting vulnerabilities in various high-profile programs.

Even though it blocked only 64 out of 300 exploits, Symantec's Norton Internet Security 2009 came out best from the test, detecting almost ten times more exploits than its nearest competitor. Security suites from the likes of Kaspersky, Check Point, Microsoft, AVG and McAfee all flopped.

Security product bundles are marketed as comprehensive Internet Security Suites, leaving the impression that the user is fully protected against internet threats. Secunia's tests suggest the products fail to do what they say on the tin. Symantec has recently begun introducing behaviour-based detection, which helps to explain why its software did the best of a bad bunch.

Thomas Kristensen, chief technology officer at Secunia, said that the shortcomings of security suites combined with the fact users rarely keep systems fully patched made a recipe for trouble.

"While we did suspect that the popular security vendors would score quite poorly in detecting exploits, the extremely low detection rate took us by surprise and this really begs the question: Does the customer get their money's worth?"

Computer users therefore need to keep up to date with patches in order to have any hope of withstand hacking attacks. Secunia's free Personal Software Inspector (PSI)* and the similar functionality within Kaspersky Internet Security 2009 make it easier to keep up to date with patching.

Graham Cluley, senior technology consultant at Sophos, which focuses on the corporate market and did not take part in the tests, agreed that applying patches was important. "There's no such thing as a perfect security suite, but security software reduces threats and people shouldn't come away from these tests with the conclusion that they these products are ineffective."

Cluley added that the tested problems might do better in real world conditions rather than in the lab because of run time protection. Security products commonly scan files before they are run as well as monitoring what they are doing once they begin running. That means that although Word files harbouring 0day exploits, for example, may make it past scanners they might be prevented from running.

"They [Secunia] haven't actually "run" these exploits on the computer - so it's not really a "real-life" test of how well these security suites would perform," Cluley explained. "It sounds like only one aspect of the suites was tested, rather than all of the ways in which they might have been able to protect the users."

Secunia said its tests illustrated the shortcomings of signature-based security suites. Generic detection of exploits would be a better approach because what triggers a vulnerability (unlike the payload of an attack) doesn't alter, Kristensen pointed out.

"Even with a very rapid creation of payload-based signatures, all their customers are still left exposed for a considerable amount of time from the point when the criminals start distributing their new payload until it has been 'caught', analysed, a signature has been created, the signature has undergone quality assurance testing, the signature is published, and finally downloaded and activated by the security software," Kristensen said.

"Determining the characteristics of a vulnerability is somewhat more complicated and takes longer than than creating a payload based signature, however, it need only be created once," he continued. "Often the security vendors can finish their analysis and create a signature in the same time as the criminals can develop an exploit and start their criminal attacks."

Cluley argued that this criticism was misplaced, as security firms all moved away from signature-based detection years ago. He said modern security suites made far greater use of generic and behaviour-based detection as a way of dealing with the growing volume of malware-sample production.

A full round-up of the exploits and vulnerabilities used in the tests and a rundown of results can be found here (pdf). ®</p

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.