When deploying security software – be sure it’s written by experts

A colleague pointed out this interesting thread, about a variety of security exploits in Trend Micro’s ‘Password Manager’ module:

The nature and severity of the exploits are … breathtaking. The slow and indecisive response of the vendor is similarly amazing. For TrendMicro customers, the conclusion is simple: don’t install this thing. More generally, it’s clear that the team who built the product has a very weak grasp of security. Is it just this team, or the whole company? Who knows? What about other vendors in the IT security space?

It turns out that other security products, theoretically designed to protect you, actually introduce their own exploits, as discussed here, and herefor example.

That’s quite scary, because most users think they are improving their security posture by deploying such software, but (a) these programs require very deep OS privileges to run, and (b) these programs are, it seems, sometimes written by people who don’t have the skills required to write secure code. The consequence is that users, thinking they are doing the “right thing,” are actually endangering themselves.

What to do?

First, I’m not much of a fan of anti-malware software. The OS (Linux, Mac, Windows, etc.) is more secure than most people imagine — most vendors have been taking security quite seriously for years now, have pretty good designs and usually respond promptly to any discovered vulnerabilities. Do turn on the security features of your OS, do encrypt your filesystems, do keep your software actively and promptly patched, do avoid sketchy web sites, and you should be fine. Where’s the anti-malware program in that narrative? Notably absent!

Second, if you do go for anti-malware, keep an eye on public disclosures of exploits. If a vendor has been caught doing egregiously dumb things – as TrendMicro has here – then avoid them. Who knows what other products have been infected by the same clueless development practices?

Safe computing!

Tags: , ,

Comments are closed.