14 DAY TRIAL // Over the weekend, one of Google's top security researchers, Tavis Ormandy, published a blog post in which he criticized antivirus certification programs that award meaningless prizes to flawed security products.
His problem came from the fact that, at this year's RSA security conference held at the start of March, Verizon's ICSA Labs awarded Comodo the 2016 Excellence in Information Security Testing Award.
The irony of this award wasn't lost on him, nor us, if we take into account that, since last December, Mr. Ormandy has been unearthing security flaws in Comodo's Antivirus products on a regular basis.
Mr. Ormandy + Comodo = <3
The researcher first discovered that Comodo was forcibly installing an insecure browser that disabled SOP (Same-Origin Policy), a key security feature in Web browsers. He also learned that Comodo's scanning process didn’t enable ASLR protection, and then that the entire antivirus was using incorrect ACLs (Access Control Lists).
Later on, he also found that one of Comodo's tech support tools bundled by default with some of its security products was also installing an insecure VNC server with weak authentication, equally as bad as his first findings.
But the situation is even worse since all the above problems have been reported and fixed. Checking Mr. Ormandy's Twitter feed today, we can still see unresolved issues. The most recent of them (see tweet below) allows an attacker to exfiltrate keystrokes just by scanning a file.
Working on an unusual exploit for Comodo Antivirus, just *scanning* a file can exfiltrate keystrokes. #wtf pic.twitter.com/NKmPGh2DMW — Tavis Ormandy (@taviso) March 10, 2016
It's no surprise that Mr. Ormandy had a problem with Verizon giving Comodo an award for excellence in information security, since if you follow his research, that doesn't seem to be a feature of Comodo's antivirus to begin with.
Some antivirus certification tests are just hilarious
But besides Comodo, Mr. Ormandy also took to heart the criteria Verizon used to certify the high standards of information security that Comodo had to pass.
Since Verizon published its methodology according to which the awards were given out, Mr. Ormandy was quick to point out that they were extremely simplistic.
This reporter also took a look at all the criteria, and in our assessment, most antivirus products would have passed since the certification requirements merely described basic antivirus functions, half of which were related to UI functions.
Some of the certification "criteria" included the likes of: "Enable and disable the Detection of Malware" (which is a basic start/stop button for the scanning process), "Retrieve and apply the latest Engine and Signatures over the Internet" (the antivirus must be able to update itself), "On-Demand Detection" (the antivirus must start a scan when you press a button, or a new file is detected), and "Report no false positives" (well, duh!).
Most antivirus products are a collection of deprecated codebases
But Mr. Ormandy's criticism was not only directed at Verizon and Comodo, and he said that antivirus products, in general, are insecure. "All of the major security vendors are using ancient codebases with no awareness of modern security practices, it’s still hacking like it’s 1999," the researcher said.
And he's right in his assessment. Before cutting Comodo's reputation to bits, Mr. Ormandy also discovered security issues with other security products from companies such as Avast, Malwarebytes, Trend Micro, AVG, FireEye, Kaspersky, and ESET.
He did all of his research with no access to source code, with point-and-click security tools and basic techniques that every security researcher learns.
His point is that the vendors of these security products do very little testing on their own codebases and leave trivial security holes that are extremely easy to detect for any security expert, and probably hackers as well.
The Google researcher says that both antivirus vendors and certification programs would do everyone a favor if they followed basic security testing procedures like the ones put forward by Microsoft's SDL (Microsoft Security Development Lifecycle).
"There’s no need to reinvent the wheel here. [...] Many of these [security tests] don’t require any skill and can be automated, but would actually be useful," Mr. Ormandy explains. "Award bonus points in some ranking for using sandboxing, and maybe we'll see the first vendor actually implement that."