Feeds

Internet security suites fail to block exploits

Tests expose 'chocolate teapot' shortcomings

Protecting against web application threats using SSL

Internet security suites do little to protect users against exploits, according to security notification firm Secunia.

The Danish security notification firm is urging a root and branch rethink on how security suites are designed, moving away from "ineffective signature-based detection" to a smarter form of defence.

However, an anti-virus expert whose firm's products were not involved in the tests said Secunia's approach only tested against one aspect of how security suites protect consumers, and were therefore potentially misleading.

Secunia tested 12 suites (which typically bundle firewall, anti-malware and anti-spam functions) against a range of 300 exploits targeting vulnerabilities in various high-profile programs.

Even though it blocked only 64 out of 300 exploits, Symantec's Norton Internet Security 2009 came out best from the test, detecting almost ten times more exploits than its nearest competitor. Security suites from the likes of Kaspersky, Check Point, Microsoft, AVG and McAfee all flopped.

Security product bundles are marketed as comprehensive Internet Security Suites, leaving the impression that the user is fully protected against internet threats. Secunia's tests suggest the products fail to do what they say on the tin. Symantec has recently begun introducing behaviour-based detection, which helps to explain why its software did the best of a bad bunch.

Thomas Kristensen, chief technology officer at Secunia, said that the shortcomings of security suites combined with the fact users rarely keep systems fully patched made a recipe for trouble.

"While we did suspect that the popular security vendors would score quite poorly in detecting exploits, the extremely low detection rate took us by surprise and this really begs the question: Does the customer get their money's worth?"

Computer users therefore need to keep up to date with patches in order to have any hope of withstand hacking attacks. Secunia's free Personal Software Inspector (PSI)* and the similar functionality within Kaspersky Internet Security 2009 make it easier to keep up to date with patching.

Graham Cluley, senior technology consultant at Sophos, which focuses on the corporate market and did not take part in the tests, agreed that applying patches was important. "There's no such thing as a perfect security suite, but security software reduces threats and people shouldn't come away from these tests with the conclusion that they these products are ineffective."

Cluley added that the tested problems might do better in real world conditions rather than in the lab because of run time protection. Security products commonly scan files before they are run as well as monitoring what they are doing once they begin running. That means that although Word files harbouring 0day exploits, for example, may make it past scanners they might be prevented from running.

"They [Secunia] haven't actually "run" these exploits on the computer - so it's not really a "real-life" test of how well these security suites would perform," Cluley explained. "It sounds like only one aspect of the suites was tested, rather than all of the ways in which they might have been able to protect the users."

Secunia said its tests illustrated the shortcomings of signature-based security suites. Generic detection of exploits would be a better approach because what triggers a vulnerability (unlike the payload of an attack) doesn't alter, Kristensen pointed out.

"Even with a very rapid creation of payload-based signatures, all their customers are still left exposed for a considerable amount of time from the point when the criminals start distributing their new payload until it has been 'caught', analysed, a signature has been created, the signature has undergone quality assurance testing, the signature is published, and finally downloaded and activated by the security software," Kristensen said.

"Determining the characteristics of a vulnerability is somewhat more complicated and takes longer than than creating a payload based signature, however, it need only be created once," he continued. "Often the security vendors can finish their analysis and create a signature in the same time as the criminals can develop an exploit and start their criminal attacks."

Cluley argued that this criticism was misplaced, as security firms all moved away from signature-based detection years ago. He said modern security suites made far greater use of generic and behaviour-based detection as a way of dealing with the growing volume of malware-sample production.

A full round-up of the exploits and vulnerabilities used in the tests and a rundown of results can be found here (pdf). ®</p

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.