Vulnerabilities are leaving anti-virus software open to attack

N.Runs – a consulting company and solutions developer – originally stated that the flaws mean that, contrary to their function, some anti-virus products actually open the door to attackers, enabling them to penetrate company networks and infect them with destructive code. “The positioning of anti-virus software in central areas of the company now poses an accordingly high security risk,” said the company. And that, it said, applies to “every virus scanner currently on the market”. Why? Because virus scanners must recognise as many malware applications as possible – meaning large numbers of file formats. To do that they have to partition files into blocks and structures – parsing. However, N.Runs says that mistakes and assumptions during programming the parsing code create constellations, which enable infiltration and subsequent running of code. The company stands by its findings and, paraphrasing its statement, says: “N.Runs firmly believes that the use of AV software or even multiple AV software is a requirement, but that inherent bugs need to be taken into account when designing perimeter and internal security defence. “The rising number of available formats, cryptors, packers ,combined with the intrinsic market pressure in the AV field, has not helped AV vendors to increase code quality, as our experience has clearly indicated.” Dealing specifically with the challenge that McAfee has not seen any evidence of any of the vulnerabilities reported by N.Runs being exploited to attack products in real world environments, N.Runs responds: “This is due to the fact that N.Runs reports these vulnerabilities in order to protect our own and McAfee’s customers. “Our vulnerability notification policy is rigid and strict: advisories include no details as to how the vulnerability was found or how it could be exploited. In our view, the bigger concerns are those vulnerabilities not found and published by us, especially as black-market prices for AV vulnerabilities are on the rise. “N.Runs is aware of two publicly documented incidents where AV software (running on email servers) was the remote entry vector to internal networks. “N.Runs also believes that security is a process aimed at being proactive and not solely a process in reaction to events or bugs. Statements such as ‘McAfee has not seen any evidence’ can be deceptive. “The logic that bugs are fixed when they are found is no argument against a professional attacker – for the sole reason that these professional and/or military style attackers rarely use known flaws. If the paradigm you follow is ‘we protect against what is known’ [quite common in the AV industry] then you are doing no favours to those who demand protection against professional attackers.”