Leaving the backdoor open

commentary Have we been lulled into a false sense of security by some anti-virus firms?Despite the fact that most Internet users are firmly aware there are no guarantees when it comes to computer security, a new vulnerability in a leading security product will surely come as a rude awakening to many.

commentary Have we been lulled into a false sense of security by some anti-virus firms?

Despite the fact that most Internet users are firmly aware there are no guarantees when it comes to computer security, a new vulnerability in a leading security product will surely come as a rude awakening to many.

The product in question is Symantec's Norton Internet Security 2004. The flaw: its auto-protection feature can be disabled by malicious, local users.

An error which resides in the software's auto-protection functionality is triggered when dealing with certain Visual Basic scripts. The vulnerability can also be exploited to download and execute destructive files, which normally would be caught by the anti-virus program.

Security researcher Daniel Milisic, who discovered the bug, took the company to task: "Symantec should be publicly flogged for trying to sell this inferior AV software to home users, especially knowing they have a decently workable AV product in their enterprise line. It's unbelievable that Symantec sells a product that operates this poorly." He believes other versions of Norton Internet Security could also be affected.

Security flaws and patches have become part and parcel of our lives but the toughest part to grasp is Symantec's apathetic response. When contacted by ZDNet Australia's Munir Kotadia for comment, a spokesperson tersely remarked: "We would know more in 24 hours."

Now, that is unbecoming of a company which prides itself on being on the cutting-edge of IT security. In fact, this is one company which always goes to great lengths to boast about its capabilities. Take this September 2004 statement as an example:

"The time between the disclosure and widespread exploitation of a vulnerability continues to shrink," Gail Hamilton, executive vice president and general manager of Symantec Global Services and Support said.

"The best way to protect a network against any threat is to know about the threat and the vulnerability it exploits before the attack is launched.

"Symantec's early warning solutions alert our customers to emerging attacks as well as provide actionable information on how to proactively protect the environment against the attack," Hamilton claimed.

So, was Symantec caught unawares with the hole in Internet Security 2004? Perhaps it feels it has the right to brag since market share figures indicate the company holds a dominant position.

But what about the customers? Symantec should have offered some form of assurance that it's working on a solution or at the very least, investigating the matter. This type of holier-than-thou attitude is just bad for business and it proves to hackers, crackers and virus writers that Symantec is just another easy target.

The "good" news for Symantec is that it's not alone; various competitors have also been found guilty of hawking damaged goods.

Security intelligence firm iDEFENSE today revealed that consumer anti-virus products from McAfee, Computer Associates, Kaspersky Labs, Sophos, Eset and RAV contain a flaw which can be remotely manipulated by attackers.

Most, with the exception of Sophos and RAV, displayed their willingness to come forward and prove that home users are as important as enterprise customers. Business 101 dictates that the customer is always right. Perhaps it's time for Symantec to get with the program.