Symantec took a hit recently when analysts found “a heap of critical vulnerabilities” in its security products. While it’s easy to point the finger at Symantec, placing all the blame on security vendors misses the point. The flaws found in Symantec’s and other companies’ security software highlight the crucial need for vulnerability assessment.
Symantec’s Vulnerabilities Are Self-Replicating
Researchers from Google found holes in 17 of Symantec’s enterprise security products and eight of its Norton consumer and small business products. Bad, right? So bad, that the problem was described as “as bad as it gets.” One of the most popular methods of targeting victims today is with a spear phishing attack. These attacks trick people into clicking on tainted links in an email, or into opening a malicious attachment. Almost every organization is teaching its employees the dangers of doing so. But Symantec’s vulnerability is worse: the user will be subject to attack even without opening the email or interacting with it in any way. According to Google’s researchers, a flaw in the software can be exploited to propagate a computer worm, which is virally malicious software, without any action on the part of the user.
Similar Flaws Found in Other Software
Symantec is reeling. But similar flaws have been found in any number of security vendors’ software, including FireEye, Kaspersky, Trend Micro, McAfee and others. The common culprit is a lack of software code review. Security software vendors need to perform a vulnerability assessment, at the very least. Symantec also employed open source code, which it hasn’t updated after seven years of use.
According to the researcher who found the flaw, Tavis Ormandy, this represents a flagrant disregard for security. The vendor did not review the code that it used from common libraries, when a thorough code review was all that was necessary. A vulnerability assessment would also have resolved the issue, illustrating the need for the security software world to become more vigilant in order to ensure that all their products are safe from these kinds of threats.
In our increasingly mobile world, mobile security threats are on the rise. To ensure your business is protected, learn more about the top three mobile security threats here.
