Blog / Anti-virus Software is prone to attacks by the way it scans files for viruses
However, it serves as a reminder that:
- The sophistication and complexity of the software we take for granted in our day-to-day life is incredibly high; even simple applications are complicated when you lift the hood.
- Hackers are very adept in discovering and exploiting weaknesses in just about ANY software
- The problem is getting worse, not better, especially now that hackers are discovering ways of making money from their efforts (ie: crypto-wall and ransom-ware).
Equally interesting is the way this vulnerability came to light. It came from Google – Project Zero. This is a new service from Google that pro-actively analyzes popular software for potential vulnerable code that could be prone to attacks. If they find something, they notify the vendor and the vendor has limited time (90 days) to correct the problem before Google goes public with the information.
Launched in 2014, Project Zero focuses on looking for zero-day exploits. Zero-day exploit is a term used to describe brand new viruses that use a new way of infecting a computer; in other words, the zero number of days it has been in the public domain.
To be clear, Project Zero finds potential vulnerabilities; not evidence of software that has been compromised by hackers.
This opens up all sorts of ethical and logistical questions. Taking the recent Symantec issue as an example:
- Google are now positioning themselves as Corporate Watchdog. No matter how benevolent their intentions, it could pose ethical questions if one corporation is favoured over another when it comes to being selected for analysis. Has Google looked at Trend Micro or McAfee code?
- If a vulnerability is discovered, who is liable? Are Google required to report this to government authorities if the risk/threat is great enough?
- Does NOT having any known vulnerabilities make the software better for the user? Is Trend Micro or McAfee better at detecting viruses than Symantec EndPoint?
- Does identifying vulnerabilities guide hackers into what is being looked at and what is not? In other words, is it helping them to be more effective?
- Will Google start selling Project Zero services as a commercial enterprise? After all, they are in the business of making money.
- By default only potential vulnerabilities are being reported that have not been fixed. Thus, it’s a black list. Conversely, is there a white list – software that has been tested and found to be OK?
For now, it’s best to focus on the results. If you are using Symantec anti-virus products, I would suggest you contact your primary tech to insure you have the latest version that contains the BUG fix.