The software vulnerability exploited by the recent Witty worm is only the latest in a growing list of flaws being discovered in the very products users invest in to safeguard their systems.
"This is a new realm of risk that users must confront: the security of security (products)," said Andrew Plato, president of Anitian Enterprise Security, a systems integration and consulting firm in Beaverton, Ore.
The Witty worm, which was reported to have damaged 15,000 to 20,000 computers worldwide, took advantage of a flaw involving the BlackIce and RealSecure intrusion-prevention products from Atlanta-based Internet Security Systems (ISS). The worm wrote random data onto the hard disks of vulnerable systems, causing the drives to fail and making it impossible for users to start up the systems.
The flaw was the result of a buffer-overflow condition in a function used to detect peer-to-peer traffic, said Chris Rouland, director of the X-Force security team at ISS.
The company worked to "very quickly mitigate the risk" after being informed of the problem by eEye Digital Security, Rouland added. But Witty was released "almost immediately" after the fix became available and before many users had time to respond, he said.
Rouland noted that the number of major flaws that have been discovered in ISS products over the past five years has been limited to two. That's well below the industry average, he stressed, because ISS follows strong quality and code-audit processes.
Just a few weeks earlier, a vulnerability caused by an unchecked buffer was discovered in a firewall from Zone Labs in San Francisco. Fred Felman, vice president of marketing at Zone Labs, said his company also responded quickly, so no exploits were reported. Zone Labs follows "stringent" processes for product quality, Felman added.
In February, vulnerabilities were discovered in a firewall from Check Point Software Technologies Ltd. that could have allowed attackers to modify firewall rules.
Similarly, a critical vulnerability was discovered in an Internet security product from Symantec that would have let attackers gain remote access to a compromised system. Overall, security vendors average about four critical vulnerabilities each year, according to statistics from ISS.
The trend isn't a particularly comforting one, Plato said. "Users should be very worried about this. The mad dash to be 'first to market' on every feature often creates sloppy engineering," he said.
Security software is becoming an attractive target for attackers, said John Pescatore, an analyst at Gartner. "If you are a hacker and you want to get some publicity, the best way to get it is to (break into) a security product," he said.
This week's incident also put the spotlight on a troubling habit by some security vendors to search for and disclose flaws in rival products as part of their competitive efforts, said Pete Lindstrom, an analyst at Spire Consulting in the US.
eEye, which discovered the ISS flaw, sells products that compete with those from ISS. It was also eEye that discovered the Zone Labs flaw. And ISS in the past has found problems in other vendors' products, such as those from rival Check Point.
"It's a fundamental conflict of interest," Lindstrom said. "Why would you even be looking at your competitors' products to begin with?"
According to Firas Rouf, chief operating officer at eEye, his company doesn't specifically search for flaws in competitors' products. The discovery of the ISS flaw was the result of research being conducted on a similar product being developed by eEye, Rouf said.
Rouland said ISS is interested only in finding vulnerabilities that exist in broadly used products. "We would look at a Check Point product just as we would a Microsoft product, because they are both so widely deployed," he said.