Doctors sometimes make mistakes that harm the patient. Police often fail to protect and serve. When that happens, people rightly demand the failures be analyzed and fixed. But no one ever calls for the elimination of all doctors and police.
Why then, do some call for the end of antivirus and anti-malware when failures happen? It’s a question that has vexed us for a long time.
Researchers uncover vulnerabilities in security products on a regular basis. A recent example is Trend Micro, which faced scrutiny in January after researchers reported some 223 vulnerabilities across 11 of the vendor’s products. Tavis Ormandy, a prolific and gifted Google Project Zero researcher who most recently discovered Cloudbleed, regularly targets security products, including those produced by Sophos and such vendors as Kaspersky and Symantec.
Along the way, someone either declares it the end of antivirus, anti-malware and endpoint protection, or calls for its demise. Last year, during another disclosure of Trend Micro vulnerabilities, security experts even declared antivirus a threat to security.
Can we all do better? Absolutely. Like all technology created since the dawn of time, antivirus sometimes falls short of its mission. As an industry, we need to continue to find weaknesses and fix them as quickly as possible.
Does doing better mean we set aside antivirus and anti-malware, just as some believe vaccines should be shelved? Hardly.
To help frame the issue, I sat down with Sophos CTO Joe Levy.
Iatrogenesis happens, followed by schadenfreude
“In responding to the occasional question about the claims of harm from endpoint security products, it occurred to me how strikingly similar such a belief system is to the anti-vaxxer movement. Both mean well, but unfortunately have the potential to do more harm than those they indict. Nonetheless, those who point out problems with antivirus make valid points,” Levy said. “All software has flaws.”
Levy offers two other observations:
- This is a case of yelling ‘iatrogenesis’ (harm caused by the healer) in a crowded theater. It is particularly sensational because of the irony, and in many cases, a source of schadenfreude (pleasure derived from the misfortune of others).
- The attack surface of security software is often enlarged by the level of privilege needed to operate efficiently (i.e. in the kernel) and to do the kind of work that it needs to (file/network interception, process termination, system cleanup, etc.)
Just as patients sometimes develop complications after surgery, security technology sometimes fails, creating unintended harm for the user, Levy said. When that happens, detractors love to swoop in and bludgeon the offender.
Levy noted that when medical care goes wrong, we don’t see the masses calling for the end of doctors and hospitals. Sometimes police make mistakes and do harm in the line of duty. When that happens there’s public outrage, but no one calls for the end of police.
Like modern medicine and law enforcement, the security industry has a very high obligation to protect their users from harm. That means not only demonstrating effectiveness against attacks targeting operating systems and applications, but also against attacks targeting themselves. Despite this awareness, prevalent security software, like all other software with a large enough install base, is still sometimes found to be far from ironclad.
But just as we still need hospitals and police officers, we still need those security tools, Levy said. While Microsoft continues to make great strides in the security of their operating systems and applications year over year, a look at the number of Microsoft vulnerabilities per year illustrates the continuing need for additional protections. Microsoft security holes between 2009 and 2016, as catalogued on the Common Vulnerabilities and Exposures (CVE) website, are as follows:
- 2009: 74
- 2010: 106
- 2011: 103
- 2012: 83
- 2013: 106
- 2014: 85
- 2015: 135
- 2016: 155
In five of the last eight years, Microsoft released more than 100 security bulletins in a 12-month period. The number of bulletins each year haven’t fallen below 75 since 2009. Antivirus remains the first line of defense when attackers work to exploit vulnerabilities in either software or the software’s human operators.
“We take our obligation to protect very seriously, and we make continuous investments in the tools and programs to improve the security of our products, from our SDLC (secure development lifecycle), to static/dynamic/runtime security tools, to our bug bounty program, to name a few,” Levy said. “We are genuinely grateful to those security researchers who practice responsible disclosure. All of us in the security industry, whether software vendors or researchers, seek to make information systems more secure.”
He added: “We should all take a sort of Hippocratic Oath to do no harm, and that means both holding ourselves to a higher standard for building secure software, as well as putting end users before glory or sensationalism. Failure at either is a form of negligence, but calls for extermination are silly and irresponsible. The focus should not be on kicking the other when they’re down, but on making each other better.”