By Joris Evers, 21 June 2005 09:25
NEWS As the pool of easily exploitable Windows security bugs dries up, hackers are looking for holes in security software to break into PCs, analysts said.
Software makers of ubiquitous antivirus products have not yet been forced to acknowledge and fix potential problems in their code, analysts with Yankee Group wrote in a research paper published on Monday. As a result, antivirus software is like low-hanging fruit to hackers, according to the analysts.
Microsoft's Windows operating system has been a favourite target of hackers but new security flaws are being discovered in security products at a faster rate than in Microsoft's products, the analysts wrote. In the 15-month period ending 31 March, 77 separate vulnerabilities have been reported by security vendors, they wrote.
CheckPoint Software Technologies, F-Secure and Symantec are among the vendors that have seen a rise in the number of security issues that affect their products in the past years, according to Yankee Group.
If the trend continues, the number of vulnerabilities for security products will be 50 per cent higher than 2004 levels, according to the analysts. While Microsoft flaws continue to flow, the rate has decreased notably, according to the analysts. They credit the release last year of Windows XP Service Pack 2, a security-focused update.
Yankee Group predicts a "rising tide" of vulnerabilities will be found in security products. Software makers should look at their security processes, and users need to get ready to patch security products, the analysts wrote. Also, buyers should ask tough security questions when buying new products, they advise.
Joris Evers writes for CNET News.com
Comments
There is 1 comment. Join the discussion
1. anonymous
It's OK to say that Microsoft vulnerabilities are drying up but that doesn't account for the fact that organisations are still not applying the patches for the vulnerabilities, so hackers will keep on probing the weaknesses. There has also been a misconception for many years in relation to vendor security products. Just because it a security product doesn't mean it's a secure product, in the main they are as badly designed and coded as the rest.
From my experience buyers aren’t bothered about asking tough questions about security products as the driver for security is not always to improve security. Mostly it’s a tick in the box requirement a recommendation from an external auditor of some kind that drives the need.