14 Computer TECHNOLOGY NEWS I t’s obvious that customers buy security products to keep their computer systems safe from viruses, hackers, and other cyber- dangers. It’s thus also obvious why some users may be surprised to find that their security products can actu- ally cause security problems. Several times recently, products such as firewalls, antispam software, and intrusion prevention and detection software—from vendors such as Check Point Software Technologies, Symantec, and Zone Labs (a Check Point company)—have been found to have potentially dangerous flaws that could let hackers gain control of sys- tems, disable computers, or cause other problems. In most cases, the flaws were fixed before anyone could take advantage of them. However, said Pete Lindstrom, research director of Spire Security, a market research firm, a flaw in several Internet Security Systems (ISS) prod- ucts let the recent Witty worm write data to computer hard drives in a way that disabled host systems. Security vendors each generally aver- age from three to 12 remotely ex- ploitable critical vulnerabilities per year, according to Fred Cohen, man- aging director of Fred Cohen & Associates, a security consultancy. Experts identify various reasons why security programs have these vulnera- bilities, including increasing complex- ity in the software and inadequate research and education in areas that would help make the programs safer. Several sources, such as John Hale, associate professor at the University of Tulsa and director of its Center for Information Security, said security products can also suffer from the same problems that afflict other types of software: inadequate attention to qual- ity and design mistakes caused by rushed engineering to meet deadlines. SECURITY PRODUCT WOES Several recent incidents illustrate the problems with security products. There are generally three main types of prod- uct flaws. One type gives a hacker exploitable information about a sys- tem, another lets hackers enter a sys- tem, and the third lets successful intruders expand the access they gain to system resources, explained Cohen. Buffer overflows have been one of the most frequently exploited flaws. An overflow occurs when a process tries to put more data in a program or func- tion buffer than it was designed to store. Information above the allotted amount can overflow into adjacent buffers, corrupting or overwriting the data they store. A hacker could include executable code in overflow data that causes harmful actions when the com- puter executes it. Overflows can occur when a devel- oper doesn’t write a program so that it checks the size of user input and then rejects input that is too large for buffers before moving it around in memory, explained Ed Skoudis, an instructor with the SANS Institute, which con- ducts information security research, training, and certification. ISS The Witty worm attacked a buffer flaw in ISS’s RealSecure Network, RealSecure Server Sensor, RealSecure Desktop, and BlackICE security prod- ucts. The flaw was in a protocol analysis module, which detects attacks target- ing instant messaging software by pars- ing several IM protocols, said Heath Thompson, ISS’s vice president of engi- neering. The flaw was in the part of the module that dealt with AOL’s ICQ instant messaging protocol. “The buffer overflow was associated with a protocol parser used by ISS. A security tool needs to grab packets off the network and [parse] them to see if there is an attack,” Skoudis said. “There was a buffer overflow vulnera- bility in the packet parser associated with the ICQ chat program, and that is what the Witty worm attacked.” The Witty worm, written to exploit the ISS flaw, infected computers host- ing the company’s products. The worm repeatedly wrote data onto the initial sectors of the hard drive, overwriting data the system needed to operate and eventually disabling the host. After infecting a computer, Witty sent itself to additional random target systems. “The Witty worm infected less than 1 percent of the customer base for the vul- nerable products,” Thompson noted. Just How Secure Are Security Products? David Geer