NSS Labs: Testing shows most AV suites fail against exploits

Many vendors fail to develop further signatures to guard against different exploits that use the same vulnerability

A majority of security software suites still fail to detect attacks on PCs even after the style of attack has been known for some time, underscoring how cybercriminals still have the upper hand.

NSS Labs, which conducts tests of security software suites, tested how security packages from 10 major companies detect so-called "client-side exploits." In such incidents a hacker attacks a vulnerability in software such as Web browsers, browser plug-ins or desktop applications such as Adobe Acrobat and Flash.

NSS Labs is an independent security software company that unlike many other testing companies does not accept vendor money for performing comparative evaluations. Vendors are notified, however, and are allowed to make some configuration changes before NSS Labs' evaluation.

"This test -- the first of its kind in the industry -- was designed to identify how effective the most popular corporate endpoint products are at protecting against exploits," according to the report. "All of the vulnerabilities exploited during this test had been publicly available for months (if not years) prior to the test, and had also been observed in real attacks on real companies."

The attacks are often done by tricking a user into visiting a hostile Web site that delivers an exploit, or a specially crafted code sequence that unlocks a vulnerability in a software application, according to the NSS Labs report.

There can be different variants of exploits that attack the same vulnerability but target different parts of a computer's memory. Security vendors frequently add signatures to their databases that enable the software to detect specific exploits, but those exploits may evolve.

"A vendor may develop a signature for the initial exploit with the intent to later deliver subsequent signatures," the report said. "Our testing has revealed that most vendors do not take these important additional steps."

Only one of the 10 software suites tested detected all 123 exploits and variants, which were designed to attack vulnerabilities in software such as Microsoft's Internet Explorer browser, Firefox, Adobe Acrobat, Apple's QuickTime and others.

The 10 software suites scored vastly different, with one catching all of the exploits at the top end and 29 percent at the low end.

NSS Labs said the average protective score was 76 percent among the 10 suites for "original exploits," or the first exploit to be made publicly against a particular software vulnerability. Three of the 10 caught all original exploits. For variant exploits, the average protective score was 58 percent.

"Based on market share, between 70 to 75 percent of the market is under protected," the report said. "Keeping AV software up-to-date does not yield adequate protection against exploits, as evidence by coverage gaps for vulnerabilities several years old."

NSS Labs president, Rick Moy, said all of the vulnerabilities are "low-hanging fruit." Information on the vulnerabilities has been available in some cases since 2006, which means the hackers all know the problems and the exploits are still being used.

But security software companies have tended to focus on the malicious software delivered after an exploit. Those samples number in the millions now. However, the number of exploits are much, much less numerous and would be a better choke point to protect computers.

"I think part of the problem is the industry is focusing more on the malware than the exploit," Moy said. "You need to look at both, but ...you really need to look a vulnerability-based protection and stopping the exploits."

Patching the known vulnerabilities will also stop the exploits, but many companies won't apply all patches immediately since it may break other software those companies are using, Moy said. Security software represents a good "virtual patch," but only if it can detect those exploits and subsequent malware, he said.

NSS Labs puts the suites in three categories: "recommend," which means a product performed well and should be used in an enterprise; "neutral," which means a product performed reasonably well and should continued to be used if it is already in use; and "caution," which means the product had poor test results and organizations using it should review their security posture.

NSS Labs chose to reveal those security suites it rates as "caution": AVG Internet Security Business Edition 9.0.733, ESET Smart Security Enterprise Business 4.474, Norman Endpoint Protection 7.2 and Panda Internet Security 2010 (Enterprise) 15.01. The full report costs US$495 and is available on NSS Labs' Web site.

Send news tips and comments to jeremy_kirk@idg.com

Copyright © 2010 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon