Security product flaws attract attackers

Computerworld - The software vulnerability exploited by this week's Witty worm is only the latest in a growing list of flaws being discovered in the very products users invest in to safeguard their systems.
"This is a new realm of risk that users must confront: the security of security [products],"said Andrew Plato, president of Anitian Enterprise Security, a systems integration and consulting firm in Beaverton, Ore.
The Witty worm, which was reported to have damaged 15,000 to 20,000 computers worldwide, took advantage of a flaw involving the BlackIce and RealSecure intrusion-prevention products from Atlanta-based Internet Security Systems Inc. (ISS) (see story). The worm wrote random data onto the hard disks of vulnerable systems, causing the drives to fail and making it impossible for users to start up the systems.
The flaw was the result of a buffer-overflow condition in a function used to detect peer-to-peer traffic, said Chris Rouland, director of the X-Force security team at ISS.
The company worked to "very quickly mitigate the risk" after being informed of the problem by eEye Digital Security Inc., Rouland added. But Witty was released "almost immediately" after the fix became available and before many users had time to respond, he said.
Rouland noted that the number of major flaws that have been discovered in ISS products over the past five years has been limited to two. That's well below the industry average, he stressed, because ISS follows strong quality and code-audit processes.
Just a few weeks earlier, a vulnerability caused by an unchecked buffer was discovered in a firewall from Zone Labs Inc. in San Francisco. Fred Felman, vice president of marketing at Zone Labs, said his company also responded quickly, so no exploits were reported. Zone Labs follows "stringent" processes for product quality, Felman added.
In February, vulnerabilities were discovered in a firewall from Check Point Software Technologies Ltd. that could have allowed attackers to modify firewall rules (see story).
Similarly, a critical vulnerability was discovered in an Internet security product from Symantec Corp. that would have let attackers gain remote access to a compromised system. Overall, security vendors average about four critical vulnerabilities each year, according to statistics from ISS.
The trend isn't a particularly comforting one, Plato said. "Users should be very worried about this. The mad dash to be 'first to market' on every feature often creates sloppy engineering," he said.
Security software is becoming an attractive target for attackers, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc. "If you are a hacker and you want to