The researcher confirmed in his presentation slides that some of the vulnerabilities he found had been fixed.
Independent of Koret's analysis, researchers from Offensive Security recently found three privilege escalation vulnerabilities in Symantec's Endpoint Protection product. The flaws can be exploited by a local user with limited privileges to gain full system access. Symantec is currently investigating the flaws.
"I won't go to the extent to say that AV software is pointless, since we do know that users still love clicking and installing stuff, and many networks are compromised this way," said Carsten Eiram, the chief research officer at security intelligence firm Risk Based Security and a long-time vulnerability researcher. "However, system administrators should carefully select which security products they buy as well as which features are enabled — especially when it comes to content inspection. All those file format parsers have proven again and again over the years to be treasure troves to attackers."
Eiram said that while he didn't attend Koret's talk, he looked over the slides and the research appears to be solid.
"Adding a huge attack surface, which often happens when installing AV software or other security software, in an attempt to make systems/networks more secure does not increase overall security," Eiram said. "I agree that it often decreases it."
The fact that antivirus products have vulnerabilities might not be surprising to security researchers, but many regular users likely assume that security products are inherently secure. After all, it would be fair to expect good coding practices and solid secure development lifecycles from companies that are clearly familiar with the risks of vulnerable code and sell protection against attacks that exploit vulnerabilities in other software.
This problem, however, extends beyond antivirus programs. Ben Williams, a penetration tester with NCC Group, analyzed security appliances, including email and Web security gateways, firewalls, remote access servers and UTM (united threat management) systems, from leading vendors in 2012 and concluded that most of them are poorly maintained Linux systems running insecure Web applications.
"While we do everything possible to ensure that products are fault free, sadly no software is perfect," an ESET representative said via email in response to an inquiry about Koret's research. The company contacted Koret after the researcher tweeted some of his findings on March 1 and fixed the problem he identified in less than three days, the representative said. "ESET always welcomes researchers who follow responsible disclosure procedures of bugs and issues."
A Bitdefender representative said via email that the company also fixed the problems disclosed in Koret's presentation slides within days of their release. However, the company is not in possession of the entire list of bugs that the researcher claims to have found and can't be sure that it has fixed all of them, or if they're even reproducible.
Sign up for CIO Asia eNewsletters.