[ISN] Security Firms Follow Unwritten Code When Digging Up Dirt On Each Other

[InfoSec News]

Forwarded from: security curmudgeon <jericho at attrition.org>

: http://www.informationweek.com/story/showArticle.jhtml;jsessionid=POBBDHOZK2B4AQSNDBCCKH0CJUMEKJVN?articleID=60403683
: 
: By Gregg Keizer 
: TechWeb News 
: Feb. 25, 2005 
: 
: A critical vulnerability was spotted Thursday in the anti-virus engine 
: used by Trend Micro's entire line of client, server, and gateway 
: security products, the third such disclosure this month of flaws in 
: major security firms' software.

: While vulnerabilities within security products are rare -- at least in 
: comparison to, say, operating systems such as Windows -- they're not 
: unheard of. And by one analysts' take, they're fair game.

Of course there are less than an Operating System, but that doesn't
make them "rare" by any means. Not only are most security products
just as vulnerable as other software products, they add a false sense
of security given the nature of their purpose. People purchase
Anti-Virus to stop viruses. They purchase firewalls to stop bad
traffic. Instead, they are often installing software that is giving
attackers *another* way into their system. According to osvdb.org:

Symantec: 108 vulnerabilities in their products, including Anti-Virus,
Norton Utilities, Raptor Firewall, NetProwler, pcAnywhere, I-gear,
Anti-Spam, Gateway, Web Security, LiveUpdate, VelociRaptor and more.

Trend Micro: 59 vulnerabilities in their products, including InterScan
Viruswall, ScanMail, OfficeScan, PC-Cillin, AppletTrap, VirusBuster
and more.

F-secure: 12 vulnerabilites in their products, including Policy
Manager, Anti-Virus, Gatekeeper, Backweb and more.

: Trend Micro agreed here, too. "We're actually really happy that people 
: are doing this. The industry needs something like this, not because we 
: need to stir up anything politically [between companies] but because 
: different people tend to look at problems different ways," said 
: Hansmann.

Why isn't Trend Micro doing it is the real question.

: But the practice of one security firm investigating another could be 
: considered inappropriate, said Pescatore, if abused. In the past, 
: various anti-virus firms took potshots at each other, not in public, but 
: by touting the weaknesses in rivals to analysts like Pescatore.

This is standard operating procedure among many security vendors. Many
product sales pitches are half touting their product, half pointing
out weaknesses in competitors.

: "If there's one thing I would tweak ISS about," said Pescatore, "it 
: would be that I'm assuming we'll never see anything like the Witty worm 
: in the future if ISS has the time to look for vulnerabilities in other 
: companies' products."
: 
: It's not easy to dig up vulnerabilities, said Pescatore: "it takes 
: skill," he said.
: 
: "You would have thought they'd been looking at their own products."

There is no marketing value in that.