McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position

McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position

Summary: Several days after blogging about a research conduced by n.runs AG that managed to discover approximately 800 vulnerabilities in antivirus products, McAfee issued a statement basically debunking the number of vulnerabilities found, and providing its own account into the number of vulnerabilities affecting its own products :"A recent ZDnet blog discusses a large number of vulnerabilities German research team N.

SHARE:
TOPICS: Security
6

Reaction to McAfee Statement regarding vulnerabilities in Anti-Virus SoftwareSeveral days after blogging about a research conduced by n.runs AG that managed to discover approximately 800 vulnerabilities in antivirus products, McAfee issued a statement basically debunking the number of vulnerabilities found, and providing its own account into the number of vulnerabilities affecting its own products :

"A recent ZDnet blog discusses a large number of vulnerabilities German research team N.Runs says it found in antimalware products from nearly every vendor. The ZDNet posting includes scary graphs to frighten users of security products. We researched the N.Runs claims by analyzing the raw data and found their claims to be somewhat exaggerated. We will discuss our findings (and make available our source data) in the attached document. We have also provided our source data for anyone who wishes to examine it."

Today, n.runs AG has issued a response to McAfee's statement, providing even more insights into the vulnerabilities they've managed to find, how they found them, and why are the affected antivirus vendors questioning the number of flaws in general :

"n.runs recently announced that they discovered over 800 vulnerabilities in AV software, blaming a necessary procedure that is known as parsing. These flaws potential give attackers access to sensible Data. McAfee reacted by posting a statement to the McAfee Avert blog, n.runs would hereby like to take the opportunity and react to these statements.

As a reaction McAfee posted an statement to their Avert blog, which tries to negate some of the statements given in the original n.runs Press-release, this represents a short summary of our response to the McAfee Statement on AV Vulnerabilities. For the complete response see: Response to McAfee Statement (PDF)"

In order to provide a more informal overview of the big picture, the conflict of interest, as well as the current situation, I took a brief interview with Thierry Zoller which you can find below.

Constructive confrontation, namely, "you're always wrong with the idea to come up with a better solution", ultimately better serves the customer. Moreover, in regard to vulnerabilities found in antivirus software, you have to consider the following - which vulnerability is in fact more dangerous, the one leading to remote code execution through an antivirus scanner, or one that is bypassing the scanning process of the software allowing malware to easily sneak in?

Following n.runs research into the topic for a while now, copies of their presentations presented at last year's Chaos Comunication Camp (Antivirus (In)Security) and this year's CanSecWest (The Death of AV Defense in Depth?- revisiting Anti-Virus Software) their KISS strategy in a combination with the universal way in which antivirus software works, is prone to come up with relevant results. Here are Zoller's comments :

Dancho : What was the first thing that came to your mind when you saw the statement issued by McAfee, and do you think there's a difference between a scared, a concerned, and objectively informed customer of a security product?

Thierry : I welcome any reaction on the part of AV Vendors, in some cases however I truly believe customers should be scared. Especially those with AV software running directly on their MTA or Email server. In this particular case, I think there is a difference between scared and objectively informed, one follows the other. You can guess in what order.

Dancho : What's more disturbing in general, the average time it takes to patch a reported vulnerability within an AV, or the average time it takes to actually receive a response acknowledging the flaw at the first place?

Thierry : This really depends on the vendor and the designated security contact @ the vendor. Some vendors choose to have development directly answer security notices, as these persons regard their code as their baby it's often hard to convince them and you sometimes have to sustain quite some abuse - and negation. Sometimes there is simply no other way than to hit them with a working PoC in the face.

Some put a Product managers in front, some technical account managers, it really depends on how well these persons are informed about the procedure to follow. There are vendors that send you a summary update of the progress every week, and some you have to send 5 followup emails to get the status.

The most disturbing part is the amount of work required to explain flaws and the lacking knowledge on how to coordinate patching. Some vendors patch silently and don't even tell you, then claim (after x months) that the bug was found internally, some vendors don't publicly announce that a patch fixed bugs of security relevance. And this really sucks. You see we put a lot of effort in coordinating disclosure, but when you deal with 13 av vendors and one of them takes 2 years, well you have to wait 2 years until you announce the advisory. For a flaw that took other vendors 10 days to patch...

In some cases I had to fight with support guys asking for serial numbers or else they would not "help" me, telling them you are doing them a favor by reporting security issues - was, let's say - not really understood. Some vendors don't even have a security@ or secure@ address, and it took us around 8 month to find the correct address to report the issues to, and this for a well known vendor.

Dancho : How would you describe the actual applicability of the vulnerabilities n.runs found in antivirus products, namely are they the type of vulnerabilities "that could" or are in fact vulnerabilities "that currently are", and what's your take on not taking action until an incident abusing these vulnerabilities takes place, a event worth dedicating a patch for?

Thierry : All of the bugs we reported are verified before submission, the attitude of not taking action until damage is being seen ("being done" is not enough since they are not aware of) is  jeopardizing the security and trust of their clients. But it's quite common in the AV industry - reacting to outbreaks, reacting to malware. Reaction; I was quite baffled that the argument "hey we wait until that flaw is publicly exploited" actually still exists. Every bug that posed a risk over a certain timeframe should be communicated to clients :

- Flaws found by external researchers - Flaws found by internal auditors (at least the critical ones)

Otherwise you'll leave it to those that 'bindiff' your patches and customers at risk. I understand that these things ofter create friction with PR/Marketing department.

Dancho : Can we speak of "window of opportunity" regarding these vulnerabilities, or perhaps we should say "the wide open window of opportunity with big blinking letters saying come on in" in respect to the slow response and coordination, excluding the fact that some of flaws aren't even acknowledged as such yet?

Thierry : As long as a vulnerability is not patched, it's possible that someone else is actively exploiting it. That said, a window of opportunity certainly exists. The same is true for bugs found internally in deployed software.

Dancho : If you were among the affected parties it this research, what would you do to ensure that your customers are protected from flaws within a software that's supposed to protect them in general? Moreover, what should the end user keep in mind when choosing an antivirus product if you were to generalize your advice?

Thierry : I would rather not comment on this, I am non neutral in this one. A home user is rarely the target of a sophisticated 0day attacks, as such he should choose the AV software that suits him mixed with detection rates. However Enterprises should hold vendors accountable, ask for more details.

Dancho : Isn't the single most important vulnerability found in antivirus software during the last couple of years, the easy to bypass signatures based scanning approach, and the product concept myopia of spending years of research into heuristics where the same amount of resources should have probably been spend on behavioral detection solutions?

Thierry : From a larger viewpoint, concentrating the functional aspect of AV software - you are absolutely correct. The "problem" with behavioral detection is this one - they need less updates and..updates is what keeps the AV business model rolling. If this would have not been the case - I am sure we would have a lot better behavioral and overall detection nowadays. It's ridicule how easy it is to bypass heuristics.

Conflict of interests are common for every industry, however, it shouldn't be the end user the one provided with a false feeling of security, by not reminding him that security software is also vulnerable to security flaws, for the sake of helping him make a more informed strategic decision when purchasing such solutions. Moreover, relying on a perimeter defense security solution in the face of a single antivirus software is precisely what Defense-in-Depth isn't all about.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Conflicts of Interests Are Common for Every Industry

    And Thierry should certainly know, because n.runs has recently released it's own AV solution, aps-AV: http://www.nruns.com/_en/aps/ Oddly enough, this never seems to be mentioned during any discussions of n.runs research.
    Snagglegaster-19929872174467528481394836508114
    • Not exactly...

      The product you linked to is NOT an antivirus solution. It's a security package designed to work WITH one or more antivirus products. It provides a way to allow antivirus software to work in conjunnction with email servers without exposing the email server to possible risks from parsing malware content.

      It's basically a way of putting the antivirus in a sandbox so it can't hurt other stuff if it gets compromised.
      bmerc
      • Full Disclosure

        Full disclosure is really what the post was about. n.runs claims should be evaluated on their own merits, but I don't believe that the existence of their AV solution, or "security package" if you prefer is irrelevant to the discussion. So, basically, my original post means just what it says; no more, no less.
        Snagglegaster-19929872174467528481394836508114
  • RE: McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position

    Anyone who understands software created by someone, knows how to create a blessing or a problem. McAfee is not the only software that can be used to test there ideas, be used to test there malware. There are registry cleaners that can create a problem too. I had malware problems or software problems that went undetected by any Antivirus software sometime, each time I thought they were the better software for finding it, each time it happend I saw some other software found something others did not find, was it real or not I do not know. I had to ersae my hard drive and make sure what I reinstalled, because the Antivirus did not detect it. That game where the picture flickers several, or picture goes blank, its presumed to be hardware problems, I erased the hard drive and careful about reinstall, it was gone.
    troubled241
  • RE: McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position

    People always confuse Anti-Virus software with Ad-Ware, Mal-ware, and Spy-ware. A program for Ad-ware, Mal-ware, and Spy-ware is completely separate from an Anti-Virus Program.

    Some Anti-Virus programs may have a plug-in or additional integrated software to provide a one-stop solution. Don't6 confuse single applications with multi-products or suites.
    The Rifleman
  • RE: McAfee debunks recent vulnerabilities in AV software research, n.runs restates its position

    McAfee VirusScan Enterprise Version 8.7i, see here for latest Ugrade your McAfee Antivirus http://scforum.info

    huliio1980