Bontchev agrees that antivirus design too often uses "design that is not the best from a security point of view," but, once again, "while the complaints are correct, the conclusion is completely wrong". To Bontchev, there is good reason to meddle with HTTPS, for example, as plenty of malware uses such encrypted channels for communication. "If you don't break the encryption, you can see which site the user is trying to visit (more exactly, its IP address) but not which particular link (URL, page) on this site," he argues. "Sometimes malware is stopped because the user is attempting to access a 'known bad' URL. If you can't get the URL, you can't stop it."
Time for another risk assessment. "What presents a greater risk: attackers trying to break your encryption when you're visiting sites, or commodity malware that would infect your machine?" Bontchev asks. "While the former isn't harmless it can lead to the attacker capturing your passwords it is rare; practically unheard of, except when professional spy agencies are involved. The latter, commodity malware, happens every damn day to millions of people."
The jury's verdict
Whether you need to worry about antivirus' inherent flaws depends on your risk profile. If you're a potential target of state-sponsored hacking or other serious, targeted attacks, the bugs in antivirus may well present a serious risk.
But what about the rest of us? We asked resident security guru Davey Winder for his thoughts. "Remember, all software has bugs. Would I suggest you don't use any AV software? No, of course not. Similarly, I wouldn't suggest you reply upon any antivirus software alone to protect your networks and data. A multi-layered security posture is the way forward for most people, most of the time; and antivirus remains a valid layer within that posturing."
The antivirus firms also seem to be stepping up their own security. They are wisely starting to offer bug bounty payments to encourage security researchers to cast a glance over their code, and while some seem to view Ormandy et al with a suspicious eye, others are happy to work with flaw finders to harden their software.
But that only addresses the coding flaws in antivirus. Where it sits makes those bugs more dangerous. Perhaps it's time for antivirus to develop a better, safer scanning system Sullivan points out that F-Secure doesn't play man-in-the-middle to watch over HTTPS traffic. "We are missing one opportunity to spot some malicious code and kill it in the bud," he admits. "But we made that call several years back that we don't want to be in the position of being a man-in-the-middle, even if that is a trusted man-in-the-middle. You just have to work harder on the other layers you've got."
Other developers (see below) note that Chrome and Firefox both support other techniques to filter traffic, so no "man-in-the-middle" is required.
In the meantime, users are being left with something of a Hobson's choice. "Should the antivirus products use better, more secure designs? Absolutely! There is much that needs improvement in this aspect," Bontchev argues. "But, most importantly, what is needed is a dialogue."
While the pursuit and publication of antivirus bugs has raised awareness of the issue, it's key for antivirus makers and bug hunters to remember they're working towards the same goal keeping users safe.
What happens when antivirus breaks your software?
Ask a developer about antivirus meddling with their own software's security, and you'll get an earful. Matthew Holt is the author of the Caddy web server and has battled antivirus to keep his software working properly.
"A trusted, uncompromised website used a modern certificate with elliptic curve cryptography," he explains. "Browsers already supported this emerging technology at the time, so a direct TLS connection between the browser and the website would have succeeded.
"However, users who were running antivirus software or were behind some corporate/university firewalls observed ERR_CONNECTION_CLOSED errors," he adds. "They were not able to access the site at all. Inspecting packet transmissions with Wireshark revealed that the connection was being downgraded to TLS 1.1. This is highly suspicious since the site supported HTTP/2 which requires TLS 1.2.
"Bizarrely, disabling antivirus or going off-campus made it possible to connect to the site using the exact same computer and browser."It became clear that the antivirus program in this instance, Avast, although Holt's previously had issues with AVG, Kaspersky and others and university firewalls were severing the TLS connection, then creating their own between them and the server so they could decrypt the traffic in between.
"Unfortunately, the TLS stack used by the firewall and the antivirus programs were outdated and did not support modern protocols or cipher suites. This not only broke the connection in this case and many others, but compromised the security of all other HTTPS connections it made, even if the server supported more secure configurations that the browser would have preferred!" he explains.
Holt argues antivirus firms should stop using this "man-in-the-middle" technique, given the havoc it wreaks on browser-level security. "Both Chrome and Firefox support saving session keys to a file (if the user enables it). This is already useful for debugging connections with Wireshark, and it should provide AV products with the access they need without compromising network security. This is passive inspection; no [man-in-the-middle] required."
Main image credit: Bigstock
