Symantec took a hit recently when analysts found “a heap of critical vulnerabilities” in its security products. While it’s easy to point the finger at Symantec, placing all the blame on security vendors misses the point. The flaws found in Symantec’s and other companies’ security software highlight the crucial need for vulnerability assessment.

Symantec’s Vulnerabilities Are Self-Replicating

Researchers from Google found holes in 17 of Symantec’s enterprise security products and eight of its Norton consumer and small business products. Bad, right? So bad, that the problem was described as “as bad as it gets.” One of the most popular methods of targeting victims today is with a spear phishing attack. These attacks trick people into clicking on tainted links in an email, or into opening a malicious attachment. Almost every organization is teaching its employees the dangers of doing so. But Symantec’s vulnerability is worse: the user will be subject to attack even without opening the email or interacting with it in any way. According to Google’s researchers, a flaw in the software can be exploited to propagate a computer worm, which is virally malicious software, without any action on the part of the user.

Similar Flaws Found in Other Software

Symantec is reeling. But similar flaws have been found in any number of security vendors’ software, including FireEye, Kaspersky, Trend Micro, McAfee and others. The common culprit is a lack of software code review. Security software vendors need to perform a vulnerability assessment, at the very least. Symantec also employed open source code, which it hasn’t updated after seven years of use.

According to the researcher who found the flaw, Tavis Ormandy, this represents a flagrant disregard for security. The vendor did not review the code that it used from common libraries, when a thorough code review was all that was necessary. A vulnerability assessment would also have resolved the issue, illustrating the need for the security software world to become more vigilant in order to ensure that all their products are safe from these kinds of threats.

In our increasingly mobile world, mobile security threats are on the rise. To ensure your business is protected, learn more about the top three mobile security threats here.

Posts By

Fran Howarth

Fran Howarth is an industry analyst specializing in security. She has worked within the security technology sector for over 25 years as an analyst, consultant and writer. Fran focuses on the business needs for security technologies, with a focus on emerging technology sectors. Current areas of focus include mobile security, cloud security, information governance and data security, identity and access management, network and endpoint security, security intelligence and analytics, and security governance and regulations. Follow Fran on Twitter: @FranNL

View more posts by Fran Howarth