European researchers recently demonstrated proof-of-concept of how your antivirus and host-based IDS/IPS engines could be used against you. (See Researchers: Bugs Can Turn Security Tools Against Their Users.)
Thierry Zoller, security engineer for German security firm n.runs AG, and Sergio Alvarez, head of research at n.runs, over the last year or so have found hundreds of vulnerabilities in these security tools, some of which have been fixed by the affected vendors.
The flaws -- which are in the "parser engines" of security scanners -- either let attackers sneak malware past AV and IDS/IPS tools and into the corporate network, or read or send email from a corporate email server as well as open a backdoor on the server.
N.runs is currently testing software it has developed to resolve this parsing problem, and plans to release it as a product in the fourth quarter.
Zoller and Alvarez demonstrated their POC at last month's HackLu2007 conference in Luxembourg. Zoller says the problem is that these parser flaws cause a layered, defense-in-depth strategy to backfire on an organization.
"Companies think they are doing defense-in-depth when they really aren't. What they are doing is increasing the attack surface exponentially, by placing one AV engine after the other," he says.
The researchers say one vendor had a code-execution bug that was 10 years old. "The parsing code simply was reused with all the new versions and never scrutinized for potential problems," he says. Code reuse is part of the problem: "When we found a parsing bug, we were 100 percent sure all the vendor's product line was affected," he says.
Kelly Jackson Higgins, Senior Editor, Dark Reading