Security tools are among the most-vulnerable software, researchers warn
- 30 November, 2016 13:12
Enterprises are rushing to implement security tools to protect their networked environments – but those same tools comprised more than half of the 20 most vulnerability-ridden software products based on regular testing during the last quarter, according to new figures from Flexera Software.
That company’s Secunia Research, which maintains a continuously-updated Vulnerability Database having more than 50,000 products, registered some 2162 new vulnerabilities between August and October of this year. And of all vendors, IBM had the most vulnerable products, according to the results – which were published in Flexera’s latest Vulnerability Update.
The Secunia team found 49 vulnerabilities in the company’s Security Network Protection tool in August alone, for example, while its Security Access Manager (SAM) was fingered for 16 new vulnerabilities in August and 22 in September.
SAM didn’t make the list in October – not necessarily because it got more secure, but because all of the top 20 tools in that month had 24 or more vulnerabilities detected. Overall, however, eleven of the top 20 products on the leader boards during the quarter were security-related tools from IBM as well as AlienVault, Juniper, McAfee, Palo Alto networks and Splunk.
The preponderance of security vulnerabilities in such tools is as much about their use of open-source components as it is about any oversight in the vendors’ code.
“This highlights how important it is that software producers understand the third-party components used in their products and the vulnerabilities associated with them,” the report’s authors noted. “All producers – including those that develop security software – must act quickly to patch vulnerable components and inform customers, to avoid exposing them to the risk of exploitation of those vulnerabilities.”
Many major security vendors – including Symantec, Malwarebytes, Kaspersky, have been dealing with new vulnerabilities this year– many published by researchers at Google that also recently angered Microsoft by publishing a critical flaw in Windows.
Forrester Research recently flagged the issue, warning that a “nightmare scenario becomes reality as trusted security brands and technologies fail when facing attacks that target them directly”. That report advises companies to take a more critical view of their security products, including a higher level of testing and remediation of their security products “to ensure these products don’t introduce vulnerabilities like those they’re trying to prevent”.
Intel Security flagged the need to take a broader view of trusted infrastructure components in its newly released predictions of the top threats enterprises will face in 2017.
Vulnerability exploits on Windows will cool down, that firm predicted, as attackers shift their focus to exploiting weaknesses in other software. “Exploiting client-side vulnerabilities has become significantly more difficult in recent years, thereby increasing the development cost of generic and reliable exploits,” Intel Security analysts warn in the report.
“To successfully penetrate the latest operating systems, attackers must often combine several high-quality vulnerabilities with advanced exploitation techniques. Although successful attacks have been demonstrated in hacking contests, we have not yet seen sophisticated exploits such as these in the wild.”
Consistent with Flexera’s analysis, Intel Security noted “many serious vulnerabilities in security products” during 2016 – citing a severe remote code execution vulnerability in FireEye appliances, Google’s discovery of common vulnerabilities in anti-malware products, and exploits in firewall products –and predicted that the trend would continue in 2017.
Also likely to increase in 2017, Intel Security’s analysts predicted, is a focus by attackers on compromising hardware and firmware – a relatively difficult task that offers adversaries “ultimate persistence, significant stealth, access to a great variety of hardware resources, and the ability to implant backdoors into systems’ software stacks.”
As well as a widely flagged increase in Internet of Things (IoT) exploits, the company predicts, next year will see a flood of malware leverage bootkit components to attack UEFI-based OS loaders and firmware attacks targeting virtualisation-based trusted execution environments – as well as ransomware infecting boot loaders and firmware.
With the security tide continuing to rise, the analysts advise a range of actions including reducing the asymmetry of information between companies and adversaries; making attacks more expensive of less profitable; improving the visibility of security operations; identifying exploitation of legitimate tools and credentials; protecting decentralised data; and detecting and protecting threat activity without agents.