That is interesting. Not so long ago Rob and I spoke at Microsoft’s Bluehat conference about a variety of topics under the heading of “Breaking and Breaking into Microsoft Security tools”. One of the sections covered how easy it is to reverse an Anti-virus tools rule set and modify it which concluded with a live demo of a popular tool causing a Windows XP SP2 machine to crash.
I open my rss reader this morning and b00m, Whitedust has an article about something similar happening in China. It may not have been malicious but it still shows something that Rob and I have been talking about for years: security problems exist because code has gotten so complex it’s hard to get right. The solution for this is not layering more complex code on top of the already broken code and hoping the dam holds.
A leading industry analyst I know said “it’s amusing that since blaster, we've had bigger outages from bad AV signatures on most major products than the viruses themselves”. Can anybody else see the sun setting on these products?
UPDATE: Infoworld is also running a story on it.
I wonder what this means for the coming 5-10 years? Security into the network? the Data? Moving away from Windows because, let's face it, Micrsoft really can't ever just start over because so much crap depends on what has already been made...which means more and more crap on top of crap...and it's just never good. Or maybe MS will just reinvent Windows like the reinvented Batman or Bonds from the past year? :) Finally breakout out of the whole "run as admin 98% of the time" into more fully user-only running? Or better yet, a trend back to terminals like TS or Citrix where all of this crap on crap is managed centrally?
If it were just lockups and outages from AV signatures, that would be bad enough. But the most offensive thing is when AV software exposes you to remote exploits WORSE since the code has admin privileges EVEN if the user is not running as admin.
What's really offensive is that some AV software FORCES you to run as administrator so that the update can run.
Post a Comment