Vendors just don't care, says researcher, after finding basic boo-boos in security software
By Darren Pauli, 29 Jul 2014Organisations should get their antivirus products security tested before deployment because the technology across the board dangerously elevates attack surfaces, COSEINC researcher Joxean Koret says.
COSEINC is a Singapore security outfit that has run a critical eye about 17 major antivirus engines and products and found dangerous local and remotely-exploitable vulnerabilities in 14.
Koret's analysis also suggests that antivirus companies fail by requiring overly extensive privileges, not signing product updates and delivering those over insecure HTTP, running excessive old code and not conducting proper source code reviews and fuzzing.
Full Article