Developers argue that buggy, bigname antivirus software is more dangerous than the attacks it’s meant to guard against. Nicole Kobie puts the security vendors on trial
Antivirus slows down your computer, interferes with apps and nags you with renewal pop-ups. But what if they were the least of its crimes? What if it was actually making your PC less secure? developers and antivirus vendors has A long-running debate between escalated into a knives-out brawl. The developers argue the antivirus industry’s lazy techniques widen the attack area and that sloppy code is filled with flaws, giving hackers more routes into the OS. Security firms, on the other hand, argue those without antivirus remain at greatest risk.
Who is correct? Both parties have a case, but the increasingly rancorous battle between some of the biggest names in the tech industry is currently generating more heat than light. Would you genuinely be better off uninstalling your security software? Read on and draw your own conclusions.
The case against antivirus
There are two main complaints against antivirus: it’s riddled with bugs and the way it’s designed gets in the way of other software measures.
Let’s start with the first. Head over to Google’s Project Zero (bugs.chromium. org/p/project-zero) and search for antivirus under “all issues” – you’ll find a long list of reported bugs from a host of vendors. You’ll also quickly notice that the vast majority of reports are filed by one Tavis Ormandy, Google’s belligerent and persistent security researcher.
The infamous bug hunter and antivirus critic last summer uncovered flaws in Symantec products that he said were “as bad as it gets”, and has also dug out bugs in Kaspersky, McAfee, Trend Micro and Sophos. In a statement to PC Pro, Symantec said that it “continually improves the protection delivered by our products with regular updates” and that it works not only with its own experts but independent security researchers. However. Ormandy isn’t alone in discovering cavities in the software that’s meant to be protecting us. Joxean Koret, a researcher at Singaporean security firm COSEINC, spent a year poking holes in antivirus, finding dozens of vulnerabilities largely in software using C/C++.
In his presentation, he uses language saucier than this magazine can print to suggest that antivirus companies don’t care about security in their own products, and wonders “why is it harder to exploit browsers than security products?”
Meanwhile, a report from Flexera Software at the end of last year revealed that n of the 46 pieces of software on its rankings of most vulnerabilities were actually security products.
Naturally, it’s not only white hats who are searching for holes in antivirus. The tranche of 8,000 pages of documents about the CIA’s hacking skills published by WikiLeaks revealed the American spies have an unflattering opinion of antivirus. Comodo was described as being a “colossal pain in the posterior” for spies to get around, but an older version of its antivirus has a “gaping hole of doom”. A now-patched flaw in Kaspersky allowed spies to bypass all protections, and one CIA hacker crowed about a “totally sweet” bug in AVG.
“Antivirus is a technology that should be used with extreme caution,” said Craig Young, security researcher at Tripwire. “In recent years, evidence has been piling up to show that weaknesses in virtually every antivirus product available could actually expose end users to more serious risks than the viruses they are protecting against.” Those flaws are all the more dangerous because of the way most antivirus software occupies an elevated position, and because it uses invasive techniques to sniff out attackers. Normally, malware must trick users into clicking a link, opening a document or running an executable, young notes.
That means “weaknesses in the antivirus program can be exploited without any user interaction,” he explains.
“If an adversary knows what kind of antivirus a target is using and can identify a vulnerability in that product, gaining complete control of the remote systems can simply be a matter of sending an email, even if the email is never opened.”
Robert O’Callahan worked at Firefox-developer Mozilla for 16 years and, when he left the company, he took a parting shot at security software developers with an inflammatory post on his blog (pepro. link/274blog), titled “Disable your antivirus software (except Microsoft’s)”.
He said that antivirus “products poison the software ecosystem because their invasive and poorly implemented code makes it difficult for browser vendors and other developers to improve their own security”.
O’Callahan’s own example came when he was working on Firefox for Windows to implement address space layout randomisation (ASLR), which protects against a type of attack called “buffer overflow” by randomising where executables are loaded into memory. O’Callahan said “many antivirus vendors broke it by injecting their own ASLR-disabling DLLs into our processes.
“Several times antivirus software blocked Firefox updates, making it impossible for users to receive important security fixes,” he continued. “Major amounts of developer time are soaked up dealing with antivirus-induced breakage, time that could be spent making actual improvements in security.”
Another concern is how most antivirus sits between your browser and the web, creating the possibility for a man-in-the-middle attack. To see encrypted traffic and check it’s not malicious, the software intercepts it – sometimes by default, other times with user permission – creating its own secure Transport Layer Security (TLS) connection to do the work of the web browser by checking certificates. In other words, therefore, antivirus breaks existing browser security systems to use a hacking technique against its own customers.
Antivirus is a technology that should be used with caution
The case for antivirus
Antivirus vendors defend their efforts. We asked several major players for a response, and the strongest came from PandaLabs. “We know that Project Zero researcher Tavis Ormandy likes analogies so we would like to put one forwards,” said Luis . Corrons, technical director of PandaLabs. “It is a fact that medical vaccines work and have saved millions of lives, virtually eradicating some of the nastiest diseases ever known. However, you will always find some ‘bright spark’ who says it is much better not to inoculate the population, just use knowledge to avoid the infections, and we always have antibiotics if we feel sick.”
Corrons added: “Antimalware solutions are one of the most efficacious methods of detecting and protecting against hundreds of millions of known security threats. Not using antimalware exposes you to unnecessary risks.”
For a more independent defense, we turned to Dr Vesselin Bontchev. He previously worked at antivirus firm Frisk in Iceland, but now works at the National Laboratory of Computer Virology at the Bulgarian Academy of Sciences, and he’s stepped into the fray on Twitter to counter the ease made by Ormandy and his colleagues.
There’s no denying the bugs, of course, and Bontchev admits that all major antivirus firms have reported flaws, although they’ve since been fixed. He also concedes that the decision made by antivirus firms to sit at kernel level makes those flaws all the more dangerous. He even agrees with Ormandy et al that antivirus opens up new attack surfaces. “In this claim, they are correct,” he said. “It’s the conclusions they make from this that arc totally wrong, misleading, and even harmful for the users.”
He says we must perform a risk assessment. Antivirus may be flawed, but so too will any other piece of software you run. Which is most likely to make you a target – a rare, hard-to-haek bug in antivirus, or the many basic flaws in every other piece of software? “What [antivirus] does is replace one risk, an attacker invading your machine by using an unknown and unpatchcd bug in your antivirus, with another: your machine getting infected because you opened a malicious file and you had no antivirus to stop you from doing so,” Bontchev argues.
The chances of an attacker exploiting a bug in antivirus software, Bontchev adds, are slim. “It takes an extremely competent attacker to find one and to exploit it,” he said. “There arc very few such attackers around.”
Not using antimalware exposes you to risks
On the other hand, standard malware is easy to find and easy to exploit. “Clearly, commodity malware presents a much greater risk than extremely sophisticated attackers using a hypothetical bug in your antivirus software,” Bontchev argues.
“I can think of only one or two cases when malware leveraged a bug in some antivirus product to attack computers,” he said. “Compare that with a million-per-day cases of‘normal’, commodity malware attacking millions of people around the globe. Clearly, using antivirus software for protection against at least the malware it can detect and stop by far outweighs the risk of hypothetical unpatched bugs in said antivirus software.” F-Secure security advisor Sean Sullivan agrees. “For the last decade, it’s not been high-skilled, high-motivated attackers that we’ve been dealing with,” he said, adding that researchers such as Ormandy appear to be trying to protect victims from targeted, specialised attacks.
He’s also critical of the way researchers often publish such flaws if they’re not fixed within a defined period of time. “I don’t know that that’s the best utilitarian choice in terms of harm and the amount of harm it might cause,” he said. “Because when they disclose something like that, they are potentially giving cyber criminals… a free gift.”
Bontchev agrees that antivirus design too often uses “design that is not the best from a security point of view,” but, one again, “while the complaints are correct, the conclusion is completely wrong”. To Bontchev, there is good reason to meddle with HTTPS, for example, as plenty of malware uses such encrypted channels for communication. “If you don’t break the encryption, you can see which site the user is trying to visit (more exactly, its IP address) but not which particular link (URL, page) on this site,” he argues. “Sometimes malware is stopped because the user is attempting to access a ‘known bad’ URL. If you can’t get the URL, you can’t stop it.”
Time for another risk assessment. “What presents a greater risk: attackers trying to break your encryption when you’re visiting sites, or commodity malware that would infect your machine?” Bontchev asks. “While the former isn’t harmless – it can lead to the attacker capturing your passwords – it is rare; practically unheard of, except when professional spy agencies are involved. The latter, commodity malware, happens every damn day to millions of people.”
The jury’s verdict
Whether you need to worry about antivirus’ inherent flaws depends on your risk profile. If you’re a potential target of state-sponsored hacking or other serious, targeted attacks, the bugs in antivirus may well present a serious risk.
But what about the rest of us? We asked resident security guru Davey Winder for his thoughts. “Remember, all software has bugs. Would I suggest you don’t use any AV software?
No, of course not. Similarly, I wouldn’t suggest you reply upon any antivirus software alone to protect your networks and data. A multilayered security posture is the way forward for most people, most of the time; and antivirus remains a valid layer within that posturing.”
The antivirus firms also seem to be stepping up their own security. They are wisely starting to offer bug bounty payments to encourage security researchers to cast a glance over their code, and while some seem to view’ Ormandy et al with a suspicious eye, others are happy to w’ork w’ith flaw’ finders to harden their software.
But that only addresses the coding flaws in antivirus. Where it sits makes those bugs more dangerous. Perhaps it’s time for antivirus to develop a better, safer scanning system – Sullivan points out that F-Secure doesn’t play man-in-the-middle to w’atch over HTTPS traffic. “We are missing one opportunity to spot some malicious code and kill it in the bud,” he admits. “But we made that call several years back that we don’t want to be in the position of being a man-in-the-middle, even if that is a trusted man-in-the-middle. You just have to w’ork harder on the other layers you’ve got.”
Other developers (see right) note that Chrome and Firefox both support other techniques to filter traffic, so no “man-in-the-middle” is required.
In the meantime, users are being left with something of a Hobson’s choice. “Should the antivirus products use better, more secure designs? Absolutely! There is much that needs improvement in this aspect,”
Bontchev argues. “But, most importantly, w’hat is needed is a dialogue.”
While the pursuit and publication of antivirus bugs has raised awareness of the issue, it’s key for antivirus makers and bug hunters to remember they’re working towards the same goal -keeping users safe.
What happens when antivirus break your software?
Ask a developer about antivirus meddling with their own software’s security, and you’ll get an earful. Matthew Holt is the author of the Caddy web server and has battled antivirus to keep his software working properly.
“A trusted, uncompromised website used a modern certificate with elliptic curve cryptography,” he explains.
“Browsers already supported this emerging technology at the time, so a direct TLS connection between the browser and the website would have succeeded.
“However, users who were running antivirus software or were behind some corporate/unlverslty firewalls observed ERR_CONNECTION_CLOSED errors,” he adds. “They were not able to access the site at all. Inspecting packet transmissions with Wireshark revealed that the connection was being downgraded to TLS 1.1. This is highly suspicious since the site supported HTTP/2 which requires TLS 1.2.
“Blzarrely, disabling antivirus or going off-campus made it possible to connect to the site using the exact same computer and browser.”
It became clear that the antivirus program – in this instance, Avast although Holt’s previously had Issues with AVG, Kaspersky and others-and university firewalls were severing the TLS connection, then creating their own between them and the server so they could decrypt the traffic In between.
“Unfortunately, theTLS stack used by the firewall and the antivirus programs were outdated and did not support modern protocols or cipher suites. This not only broke the connection in this case and many others, but compromised the security of all other HTTPS connections it made, even if the serversupported more secure configurations that the browser would have preferred!” he explains.
Holt argues antivirus firms should stop using this “man-in-the-middle” technique, given the havoc it wreaks on browser-level security. “Both Chrome and Firefox support saving session keys to a file (if the user enables it). This is already useful for debugging connections with Wireshark, and it should / provide AV products with the access they
fefcfr need without compromising network security. This is passive inspection; no [man-in-the-middle] required.”