By Sarah Lacy Think you're safe because your computer has the latest antivirus program, complete with daily updates via the Web? Or maybe you figure the firewall you have installed will stop malicious software from reaching your machine.
Well, you may not be as secure as you think. Hackers are increasingly finding flaws in the very programs designed to prevent attacks -- computer-security software.
A new Yankee Group report, to be released June 20, shows the number of vulnerabilities found in security products increasing sharply for the third straight year -- and for the first time surpassing those found in all Microsoft (MSFT) products. The majority of these weaknesses are found by researchers, academics, and security companies. Trouble is, hackers then take those findings and use it for nefarious purposes.
SAME EXCUSE. Last year, researchers found 60 flaws in a variety of computer-security programs, almost double the 31 vulnerabilities discovered in 2003, according to Andrew Jaquith, a Yankee senior analyst who culled a national database of reported software vulnerabilities. Through May, 2005, 23 software glitches have been counted -- already up 50% over last year. And that figure doesn't include those yet to come this summer, when the biggest attacks are usually launched. So far this year, researchers have only found 22 vulnerabilities in Microsoft's products.
The trend is an embarrassment for computer-security outfits who have made billions protecting PCs from cybercrooks. And much of that work has come from fixing, or protecting against, lapses in the security of Microsoft products. Now, it seems, the tables may be turning. Indeed, security concerns are offering the same reason for glitches as many software makers: "Everyone knows there's no way to have perfect software," says Jimmy Kuo, a research fellow with McAfee (MFE).
Symantec (SYMC) has had the most reported vulnerabilities, with 16 documented last year (see BW Online, 6/17/05, "A New Frontier for Hackers?"). But so far this year, it has fared better: Through May, only two vulnerabilities were reported.
BRAGGING RIGHTS. Still, Symantec is a target because it's the market leader. Hackers generally want to crack programs with the largest installed base -- thus offering the maximum impact for their exploits. That's one of the rationales Microsoft has used to explain why its products seem to have so many reported security glitches. But Jaquith points out that McAfee, the second-largest security player, decreased its vulnerabilities over the last year. "This is a leading indicator of the relative quality of the two products," he argues.
Symantec executives declined to grant an interview. But the outfit did issue a statement saying the report compares the products of a single company -- Microsoft -- to the entire security industry. "This is not an apples-to-apples comparison," the statement said. Jaquith responds that the comparison was made because Microsoft has been hackers' target of choice. He notes that more broadly, security vulnerabilities grew at a pace greater than the whole software industry last year.
What's driving the increasing discovery of flaws in the very products supposed to prevent attack? Part of it comes down to professional bragging rights. Computer-security consultants and researchers are always out to prove they can find vulnerabilities in software. The idea is: Once those holes have been discovered and made public, the businesses will move quickly to patch their programs.
Having torn through Microsoft's operating system for years, security programs provides new opportunity for researchers. Meanwhile, many hackers have started finding flaws in security software out of necessity. The software has become so prevalent, it was blocking most modes of attack.
WAKE-UP CALL. While more flaws are being found, only one has been exploited to launch a massive attack over the Internet. The Witty Worm, which targeted security concern Internet Security Systems' (ISSX) software, was sent 72 hours after the vulnerability was disclosed on Mar. 20, 2004.
A subset of ISS customers who get real-time patches over the Web were protected, but others were not, says ISS Chief Executive Thomas Noonan. The worm wrote over sections of infected hard drives, rendering the machines unusable. In all, 12,000 servers were infected. But the malicious software trashed more than hard drives: ISS's stock dropped about 5%, to $15.98, after the worm was announced. It has since climbed back, to close at $21.60 on June 16.
ISS has only had three vulnerabilities in its history, but Noonan calls it a wake-up call nonetheless. "Less than 1% of our customers were compromised, but dealing with that 1% was enormous," he says. "It has affected a number of things we do internally." Noonan wouldn't comment further about the attack's repercussions, as it's under a company investigation.
DANGEROUS DAWNING. That should have been a wake-up call to other companies as well. Jaquith advises vendors to ratchet up their internal testing. Both Symantec and McAfee recently acquired consulting firms that are experts in launching test attacks before the software is released. "They both have the tools in-house, it's a question of putting them to use," he says.
Vendors say they're already taking the threats seriously. Indeed, a new reality may be dawning for the antivirus world -- code just isn't safe anymore, no matter how good. "Software is software," says Ken Silva, chief security officer for VeriSign (VRSN). "I wouldn't classify it as a failure on the part of the security industry. Hackers are just getting a little smarter."
If the security industry is going to keep growing at double-digit rates, it'll have to get a smarter, too. Lacy is a BusinessWeek Online reporter in San Mateo, Calif.