July 26, 2013

Security companies would do well to build their products around the physician’s code: “First, do no harm.” The corollary to that oath borrows from another medical mantra: “Security vendor, heal thyself. And don’t take forever to do it! ”

crackedsymOn Thursday, Symantec quietly released security updates to fix serious vulnerabilities in its Symantec Web Gateway, a popular line of security appliances designed to help “protect organizations against multiple types of Web-borne malware.” Symantec issued the updates more than five months after receiving notice of the flaws from Vienna, Austria based SEC Consult Vulnerability Lab, which said attackers could chain together several of the flaws to completely compromise the appliances.

“An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/LDAP credentials) which can be used in further attacks,” SEC Consult warned in an advisory published in coordination with the patches from Symantec. “Since all web traffic passes through the appliance, interception of HTTP as well as the plain text form of HTTPS traffic (if SSL Deep Inspection feature in use), including sensitive information like passwords and session cookies is possible.”

Big Yellow almost certainly dodged a bullet with this coordinated disclosure, and it should be glad that the bugs weren’t found by a researcher at NATO, for example; Earlier this month, security vendor McAfee disclosed multiple vulnerabilities in its ePolicy Orchestrator, a centralized security management product. The researcher in that case said he would disclose his findings within 30 days of notifying the company, and McAfee turned around an advisory in less than a week.

Interestingly, Google’s security team is backing a new seven-day security deadline that would allow researchers to make serious vulnerabilities public a week after notifying a company. Google says a week-long disclosure timeline is appropriate for critical vulnerabilities that are under active exploitation, and that its standing recommendation is that companies should fix critical vulnerabilities in 60 days, or, if a  fix is not possible, they should notify the public about the risk and offer workarounds.

It seems to me that we ought to hold companies that make security software and hardware to a higher standard, and expect from them a much more timely response. It’s true that products which are widely deployed require more thorough testing to ensure any patches don’t introduce additional problems. But to my mind, 30 days is more than plenty to address these vulnerabilities.

Johannes Greil, head of SEC Consult Vulnerability Lab, said security companies need to invest more in securing their own products.

“We only did a short crash test and found those critical vulnerabilities,” Greil said. “I don’t think that it is acceptable to take that long because users are unprotected for that time. I do understand though, that testing the patches is necessary and may take longer. At least they don’t take years as Oracle does sometimes.”


54 thoughts on “Security Vendors: Do No Harm, Heal Thyself

  1. CooloutAC

    I loved Norton in 2008/2009, when they revamped their whole system to use less resources. And they weren’t kidding, it used almost no ram and cpu, compared to any other security suite. I mean drastic in comparison, not even close to being the resource hog every other paid suite was, which was their bad rap for years, and the reason me and many have hated them for years before that.

    But it didnt’ last long. It still may not use alot of memory. but if you don’t regularly scan or let your pc go idle enough….it just starts scanning and hogging your cpu and slowing down your pc auatomatically while you are using it. And there is no option to stop all the idle scans at all, Norton feels its for your own good. Its always thrashing the hdd. They even masquerade their process in the kernel with their resource/cpu monitor. I kid you not. Totally fraudulent I let them have it for that, they said it was a bug. It now feels like another resource hog and the same horrible company it was for years before 2009. Not to mention it never found a virus for me in the 3 years i used it, and every other virus scanner i used has found at least one during the same time.

    None of these paid virus scanners are worth the money imo, especially since there is no way in hell they can keep up with all the viruses. I just go with the free options nowadays….theres a free option for every feature in norton.

    1. CooloutAC

      ya once they started hiding their kernel process when the hdd was thrashing, within the latest version of their own resource/cpu monitor at the time, that was it for me…

    2. Hopper

      I’m not surprised at all by Symantec’s response to your findings. In 2008 I found their Norton Anti-bot to include completely fraudulent reports in the GUI stating no suspicious activity was occurring on the the LAN directly after purposely infecting it with Zbot and other well-known trojans. Definitions for that variant were contained in Norton AV so there’s no reason for the complete failure.

      I walked into a Norton demo trailer outside a Best Buy and relayed my findings. They took my contact info,and they asked for my analysis and I refused on the basis as the computer was assuredly infected and their application was a fraud.

      Needless to say Norton Antibot no longer exists.

  2. Branden Spikes

    Thanks for the article Brian this is a new attack vector I had not previously thought about. The concept of malware prevention appliance becoming compromised to the point that it actually spreads malware to your organization, WOW. The risks we expose our networks to by running browsers on our machines is stifling.

    As a security appliance vendor myself, I am reminded to make sure this can never happen by being secure by design.

  3. saucymugwump

    “It seems to me that we ought to hold companies that make security software and hardware to a higher standard, and expect from them a much more timely response.”

    Why should we do that when we do not require credit card vendors, medical insurance companies, and other businesses which hold our personal data to do the same?

  4. Joe Kool

    It’s very easy to throw out numbers such as seven days or 30 days as publication deadlines. But what is obviously missing is defining what the actual impact is of releasing information on that timeline. Will releasing info after seven days help more people stay protected? Or will it simply allow new exploits to be rolled into exploit kits sooner, and subsequently cause exploitation of the published vulnerability to impact many times more users before it’s patched?

    The only way to know is to show research, and examples of early vs. late disclosure and what impact it had on people and organizations. Before I support any time frame – full-disclosure, seven day, 30 day, or responsible disclosure – I’d like to see what the impact is and let the data show where the best timeline is.

    As a consequence, I’m looking forward to this talk at VB2013:

    http://www.virusbtn.com/conference/vb2013/abstracts/CrossStewart.xml

  5. Richard Steven Hack

    With regard to security appliances becoming a risk, there are a number of infosec conference talks in recent years that have exposed numerous vulnerabilities in such devices.

    It’s almost at the point where putting a security appliance in your corp is automatically expanding the attack surface…

    After all, all these things are usually are Linux boxes with custom software…that are never updated…

    Joe McCray has given talks several times where he describes a vulnerability assessment gig he did where he tried to get into a server to assess its status only to find the server was incredibly slow to log into. Once he got in, he found FIVE separate rootkits. As he put it, the hackers were elbowing each other for room on the server.

    The customer asked how come their IDS didn’t detect this.

    Turns out the affected server WAS the IDS…

    Once again, there is no security… 🙂

  6. Cob

    No security for old men.

    Brian, what’s your take on security in general? Does anything work? Is anything worth it? Are there any right answers?

    1. CooloutAC

      Symantec def is not worth it, I hate to sound like a hater though. I became a fan again in 2008-2009 recommending them to everyone. It blew my mind how fast and sleek it was. In 2010 a symantec employee responded to me and actually took my advice regarding unused port blocking…and in the 2011 version they actually implemented it! I coudln’t believe it I was so psyched I thought i’d be a fan for life.

      But starting with the 2013 version. I noticed that their performance monitor, which is supposed to show all norton activity vs system activity was looking suspicious. It would say no activity when cpu was at 5,10,20%! Also my pcs on my network got rocked hard christmas of 2012.

      Basically, i would notice my system.exe process going nuts when my pc was idle…not the ccsvchost norton process, or svchost or explorer or anything… which is a common problems. I couldn’t figure out what it was.

      Finally i decided to use process explorer, from users suggestions, open up the properties and look at all the threads. I would wait till my pc went idle. Turns out the culprit thread was directly related to norton when doing a google search on it.(i forget the name now and the forum thread has dissappeared from nortons site) I promptly started another thread on their forums after my other two threads were locked. Then i got banned( I can be a bit overwhelming)…..

      But Its like norton was doing something while my machine was idle they didn’t want me to know about. Either that or norton kept getting compromised by some virus. either way their perf monitor was disgusing it for them. Which totally contradicted what they advertised with their perf monitor, did not make me feel secure. But besides their perf monitor boldy lying….and ever since my network got rocked hard in december of 2012, after finding no viruses for 3 years. not a single one…..and then when updating to norton 2013 just made things worse?, I got rid of them even with 3 months left on my sub.

  7. Emilie

    Cob – you beat me to it – I was going to ask – what is best security for a grandmother who likes to keep a clean computer?

    In past 10 years I’ve been alternating between McAfee and Norton IS and I don’t like either one. In the free dept I run Spybot, Malwarebytes and C Cleaner and I dump cookies daily in Chrome and IE. Monthly I run that MSFT thing that comes with their updates.

    Is there a better Internet Security program I can buy and are there any other free programs I should run?

    I pay my bills on line and do investing so I think it is very imp to keep things clean and I worry especially since I have bought tickets at JetBlue with several different credit cards……..

    Thanks again Brian for your always interesting and useful blogs.

        1. CooloutAC

          believe it or not….MSE is the one that found the trojan i got from battlelog.battlefield.com last year. Trojan.JS.Redirector.xa
          and it must of been from an idle scan, cause i found it in quarantine like a week later.

          since this thread though i’m now using avast + mse.

        2. SeymourB

          Just so you know, depending on a single AV product to detect everything stopped being a viable option 5 years ago. You have to use multiple AV products, and MSSE is fine as one of them, you just can’t solely depend on it.

    1. Cob

      @Emilie

      I was actually just talking about corporate security in general. A lot of company’s depend on IDS, DLP, AV, and all kinds of other appliances, not to mention whitelisting and whatever else you want to add here…

      As a very new person to this field, I feel like nothing works, nothing is good, nothing has success. At the end of the day I wonder if all infosec is just a shell game and the infrastructure behind the internet and the people that support it is just so corrupt and stupid that trying to fix it or build on it is senseless busy work.

      I don’t know how to read logs or configure routers or do half the stuff that the people reading this blog probably do on a day to day basis…but I know that on a macro level none of this seems to matter. Defense in depth is a joke. You can build 1 million walls but at the end of the day you have to stop an infinite number of ladders.

      When’s the last time Brian had an article about a company that stopped hackers? I realize that’s not something that gets published, and it’s tricky because those cases could be a part of active investigations…but jesus, what in the world is going on out there?

      1. CooloutAC

        Ya at the end of the day i guess its do you lock yourself up in your house and keep the door close?, or open it up to venture out and experience something in public?….the internet really is the wild west barbarian times.

        Windows has now become my gaming entertainment machine that I don’t car about wiping, linux is for regular activities, and the updated livecd for the banking. I’m now using a user account in windows. all these years…I was never even using a user account in windwos, was always on administrator.

        That age old analogy of a few bad apples spoil it for the whole bunch is very true, contrary to what many believe. and saying your against the gov’t, but then spying on people trying to get them arrested like your the fbi yourself is hypocritical. People would respect hackers more if they actually went after other hackers, because nobody else can they have the ability, and because thats what really affects most of our daily lives….make the internet a better place, thats another dimension of our world.

      2. Madmonkey

        Hold on there. Defense in depth is not a joke, it is sound security advice, that many will agree to.

        What you are referring to is the fact that no software/appliance or whatever will completely protect your system. Which is correct by the way. But that doesn’t mean you should stop using them.

        Would you stop locking your house and turn off your alarm because they are not 100% fullproof, no. Then why do so in the IT realm?

        The truth is both in IT and in the physical world, there is no guaranteed way to stop intruders, short of living on an island (or off the grid)

        As you have said in your comment, you are still new to the field, but I already feel you have made a big mistake in passing judgement without understanding the big picture. I strongly suggest you don’t pass judgement on something you don’t fully understand.

        Security is hard and always will be. But that doesn’t mean you should just give up.

        Admins and Security professionals have the unenviable task of preventing compromise of the network even when there are literally dozens or not hundreds of attack vectors for intruders to utilize and lets not forget our users, who themselves can pose as great a risk, just by themselves.

        Bottom line:
        Edmund Burke said all that is necessary for the triumph of evil is that good men do nothing. Do not allow evil to triumph. Do not do sit by and do nothing.

        1. Cob

          I’m not saying that people should give up.

          But I’m very skeptical that defensive in depth is anything but a very poor strategic stop gap that is meant to slow down the bleeding while perhaps new technology appears over the horizon.

          It’s like we’re trying to solve a problem with a million semi-effective ideas instead of redesigning the whole process from the beginning.

          It’s no wonder companies just throw arbitrary sums of money at IT Security…it’s not like it actually does anything but keep people that don’t know any better from asking more questions, important questions. Like why is our entire commerce system completely vulnerable to a few people sitting in their basements? (and please don’t give me the APT song and dance…who cares if it’s a military threat or a 12 year old, your data is gone)

    2. B

      Unplug from the interwebs. I say we take off and nuke the entire site from orbit. It’s the only way to be sure.

    3. anymouse

      Go to AV-Test and AV-Comparatives’ websites and look at the test results. You will discover that Bitdefender has ranked either #1 or #2 for years. F-Secure and Kaspersky have also ranked in the top few for years. Of those three, I would recommend F-Secure, as it uses Bitdefender’s engine as well as one of its own. Kaspersky has the nasty habit of invalidating perfectly good licenses because (I assume) they have been burned many times by people trying to use forged keys.

      Be careful about using free add-on anti-spyware products. Some do not play well with mainstream anti-virus products and others are borderline malware themselves. Not to mention that all anti-malware products slow your PC.

      1. anymouse

        Oops, I did not intend to infer that Malwarebytes and Ccleaner are bad. I use them both.

    4. Datz

      The solution I use is Ubuntu live CD or a USB mounted one. I wouldn’t want to get into the debate of which one is more secure (Windows or Linux), but the fact is there is less of malware targeting Linux systems out there. And unlike earlier flavors, Ubuntu is fairly grand-parent friendly and easy to use.

  8. Hopper

    I can’t help but bring up the whole Symantec source code leaks that were brought to public attention in September of 2012.

    Symantec stated that the current version of Norton didn’t share any common code with the 2006 version, but what was the impetus of the re-build? Knowledge of the leak? A genuine drive for product improvement and development?

    I just don’t trust em.

    http://www.theregister.co.uk/2012/09/26/symantec_source_code_leak/

    1. CooloutAC

      I never knew that man! I really liked them up until right around that time too…wow, that probably explains alot….you just blew my mind, thanks for the link!

      http://www.av-comparatives.org/

      anybody know how reliable this site is ^

      Avast is really rocking strong for a freebie on those charts. They some of the good Russians 🙂

      1. anymouse

        Avast is headquartered in Prague, Czech Republic. Czechs are Slavic, but definitely not Russian.

  9. BV1

    Unfortunately anyone reading this has probably been smart enough to not touch a Symantec product for years now. Anyone still using Symantec gets their malware news from Yahoo!.

    1. FUD

      Xa Xa Xa . Best comments so far and so funny you made my day .
      And The funnest thing is that half of the people who reading this blog Do use Symantec as we speak .Just read some comments from above . But they can talk BIG for hours and hours on end about IT security …

      Enjoy the ride.

      1. anymouse

        Only one person here — Emilie — admitted to using Norton and she clearly said she is not happy. I made some comments regarding how AV-Test ranks Norton as one of the best anti-virus, but I never actually claimed that I personally use it. Everyone else denigrated Norton, yet you claimed that “half of the people who reading [sic] this blog Do [sic] use Symantec.” I think you omitted some letters in your alias, specifically “cke” after “fu” and “-up” after ‘d’.

  10. FUD

    You guys calling yourself s a security experts are so pathetic .You know nothing about IT security as far as i can see .Norton , McAfee and the rest they all useless in combating new treats that emerge every day .Every kid knows how to bypass Norton , McAfee and other AV soft this days .It seems to me that my 5 years old kid knows more then you do , so called “professionals ” .No wonder its so easy to hack in to US systems , they all use Norton , McAfee or some other useless AV soft ..

    1. F-3000

      “Every kid knows how to bypass Norton , McAfee and other AV soft this days .”

      You meant to say, that every kid can press a button on webapp and call themselves a hacker?

  11. anymouse

    If Norton is useless, then so are all other anti-virus products. I say this because AV-Test, one of the two most respected testing companies in the business (the other is AV-Comparatives), rates Norton near the top, along with Bitdefender, Kaspersky, and F-Secure, with G Data and ESET (6.0, not 5.x) following closely behind.

    And some of the above have their own problems. I have experienced Kaspersky’s customer service refusing to allow a valid license to be transferred to another PC (with only one running at a time, of course). I have experienced Bitdefender’s scanner telling me that a brand new installation of W-7 had something like 20 serious trojans; yes, they had a false positive problem, as they later admitted. Malwarebytes had a false positive problem a few months back. And not that long ago, one vendor (I think it was Avira, both free and paid) broadcast an update which broke every single installation of it around the world, with users being forced to manually fix their PCs.

    The problem is zero-day exploits, as everyone here understands. Given an anonymous Internet, either white-listing or the current state-of-the-art in anti-virus technology is probably as good of a defense as can be achieved.

  12. jershonite

    The problem is criminals, but there will always be criminals so how do you defend against them?

    Try to be smarter and faster than they are. While Google’s push for a one week deadline seems the best way to stay faster than the criminals, it’s not really realistic.

    Making changes to software that thousands or millions of machines use is a hugely risky business and a highly complex task.

    Releasing information about vulnerabilities to the public early won’t protect them. Besides, the most commonly attacked vulnerabilities are old and well known.

    The best solution is for the vendors to fix as fast as they can (and sometimes they need extra motivation to do that) and to not reveal the vulnerability publicly until the fix is available.

    That’s the best solution, but not a very common one.

  13. Emilie

    I have seen no mention of Webroot Secure Complete – is this a good IS program?

    1. CooloutAC

      good question, they are not mentioned anywhere. I used them years ago, I think at the time they were top rated for malware but not really an a/v, not sure their suite even has a firewall. The experts don’t recommend any suites and neither do I now. Its so bad out there I wouldn’t bother paying for anything. get the paid version of malwarebytes if anything. its 20 dollars for life.

      right now i’m trying out avast, amazed to see it blocks alot of pages that i have to whitelist. couldn’t even figure out how at first lol, I think the paid version is more user friendly with these features, but wow its pretty hardcore. Norton never blacklisted webpages for me.

      To replace the norton password manager, I would use Lastpass.

      Emille you’ll laugh, but right now i’m using MSE, AVAST, malwarebytes, w7 firewall control from sphinx, w7fw advanced also still on, peerblock, EMET, all at same time not seeing any performance issues or conflicts so far with avast in there. all free.

      even playing bf3 video game.

      I have a quad core cpu and 6gb ram on w7. i’m under 2gb and barely any cpu use right now with half a dozen firefox tabs open and slsk running. Avast also doesn’t default a scan schedule,or abuse your pc when its idle it seems. I’m just going to manual quickscan everyday see how it goes.

      1. CooloutAC

        I just realized that using w7 firewall, especially to block outgoing connections is a little sadistic especially for a novice user.(i love the w7fw)

        does anyone have any good alternatives to mcafee and norton suites, that are just as user friendly?

        1. Andrew

          I suggest trying out ESET Smart Security 6

          It’s nod32 (their anti-malware engine) + HIPS + firewall and some other toys).

          It’s very user friendly out of the box – you can make it as difficult/useful as you like if you prefer to manually create firewall and HIPS rules

          Also does HTTPS filtering if you configure it correctly

          Low demand on system resources

          It’s not an enterprise-ready solution but personally it’s my favorite and I deployed it widely in SMBs before I entered the big boy space

      2. Emilie

        Thanx CooloutAC, your comments are very helpful to me.
        Sounds like we have similar systems – I have an ASUS 64 bit w7 quad core with 12 GB ram.

        I have no interference between all the free security programs I use and Norton IS that I hate and Norton controls the advanced w7 firewall.

        Sometimes it is difficult to get 64 bit free security programs – but it has become much easier lately. I don’t mind running them manually.

        I am certainly not a pro on all this stuff and don’t want to be – I just want to protect my ‘puter and NO FREE RENT TO THE CREEPS.

        I have been following Brian for years at WaPo – his column was the best! It was clear and understandable for a novice. I can say the WaPo tech section is pathetic without Brian!

        1. CooloutAC

          what i like about that w7fw sphinx control is it doesn’t do anything to the kernel, unlike norton, and its very light. anytime any program on your machine blocks something, it pops up saying what program, ip, port etc and how many attempts… its an alternative way to blocking outbound connections in windows, but the free version is limited.

          but it uses same protocol as w7fw, and they both can run independently and at same time.

          so you can use the sphinx firewall…to alert you what program is attempting access….you can easily copy and paste the location and name and quickly add it to w7fw if you block outbound with it. or you can see from the popup what ports and ips need access. ( i gave myself away now lol)

          comodo firewall might be a better option for you. Some experts say it is even better then paid firewalls! and has many automatic features. But when first running it…there are alot of popup notifications that you will probably have to allow that can be annoying, but its very very good and your machine can handle it with anything else running.

          1. CooloutAC

            IMO
            comodo = best free firewall
            avast = best free AV
            malwarebytes = best free malware

            1. Andrew

              anti-malware = (or >=) anti-virus

              That’s saying nothing about the efficacy of the products you mentioned, just a clarification on terms. Backdoors, rootkits, spyware, “virus,” etc. – the term malware encompasses all of these

              1. CooloutAC

                go to w/e respected comparison or test site you want or google them don’t take my word for it.

                as far as FREE firewalls go, nothing is gonna do what comodo does. there is just no comparison lol. google it. some claim its better then some paid ones.

                Avast well we’ve already posted some sites that compare them on tests. I think the the only real free scan even in the runnings.

                malwarebytes, well maybe this one is debateable as a better spyware/malware program because there is so many free ones. I have personally saved peoples pcs with this program though. People who got their internet hijacked, (when a virus was going around florida) just directing them on the phone to go to safemode with networking downloading malwarebytes and running a scan, and they were good to go. But they also have the best help forum and customer service, and a cheap lifetime subscription.

        2. cooloutac

          Emilie! Avast just flashed on my screen when i logged in a user account. its already notified me and updated for me the adobe flash player activex to 11.8.800.94!

          now i’m glad I saw your post Emilie. I just installed avast on all the phones too. I noticed too on the android they the only free solution with an actual real firewall for rooted phones I believe! wonder if people could use that in combination with the link from BKs mobil post for Duo’s Securities two patches for android phones.

          I wonder if that would actually be safer then a non rooted phone, does anybody have any thoughts on this?

    2. Brett Lee-Price

      Hi Emilie,

      I’ll point out first that I am an employee of Webroot, so that it doesn’t sound like I’m misleading anyone. Personally, as a former IT Consultant/Network Engineer, I find that Webroot SecureAnywhere is a great alternative to traditional antivirus solutions.

      It’s entirely SaaS based with a <1MB client, low resource consumption (on both CPU and RAM), and you can manage endpoints and mobile in a single pane of glass. It also doesn't use definitions, but instead is heuristic-behavior driven.

      I use to use and recommend a combination of Kaspersky, Spybot and Malwarebytes to help repair and protect systems, now I just use Webroot + Spybot to do the same thing.

      1. Emilie

        Thanks Brett.

        I have some friends who have used Webroot for several years and swear by it – extremely satisfied.

        Right now I just started using a free month of Avast Premium and I have to say I am impressed.

        But before I decide I plan to try Webroot if it has a free trial as well.

        Thanks again.

  14. A. Cynic

    Funny how Google hasn’t held its handset partners to its much-vounted 7 day window over not one but two complete holes in Android code signing.

    Google let handset manufacturers license Android *and* lock down the devices so you can’t update them yourself, then come two holes (one total, one nearly total) in the package code signing part, so bad I can make my virus claim to be your signed app, and not a word out of Google to say when you can expect a fix, or what it’ll do to Android handset vendors who drag their heels.

  15. Dirgster

    I’m reading these comments and come in defense of Norton. On two computers I’ve been using Norton 360 for years and run Malwarebytes Pro for over a year now. I have been safe from virus infections all this time. Perhaps Symantec and all the other security companies will become more vigilant by reading your statements and complaints and will take their job of keeping computers safe more seriously.

    1. CooloutAC

      in 2010 a norton employee responded to a simple suggestion of mine. About showing the port number on the main logging screen along with the ip address, so it would be easier to determine which ips were out of the ordinary while scrolling through, if the log became flooded, without having to click on each ip address individually.

      The next version that came out, there was the port numbers in plain view on the main screen, so they are def not all bad and they do listen to the people.

      IMO, its the volunteers they rely on that are the problem alot.

      1. CooloutAC

        for unused port blocking I mean, obviously it would be crazy if they never showed the port for any connection. But i explained, for example using torrents, even when the port and program is closed, clients will still be trying to connect afterwards for some time and they should be logged. So if i was able to see the unused port they were connecting to along with the ip address, i could assume what it was probably from, for example the specified utorrent port, and easily scroll past 100 ips that are most likely not an issue.

Comments are closed.