Security products among the most vulnerable software

Security products made it to the naughty list of 46 software products considered to be the most vulnerable over a three-month period

Why do you spend the big bucks for security products? For protection, right? But many of the top security vendors utilize open-source or third-party components and libraries that are seemingly packed with vulnerabilities.

While this is something you already know, a new report found that security products are some of the most vulnerable software. Flexera Software, which acquired Secunia in 2015, noted that between August and October of 2016, 46 products made it to the top 20 most vulnerable products. Eleven of those software products overflowing with vulnerabilities were security-related products.

The Flexera report (pdf) referenced a Forrester report about security products that allegedly “have your back” but really don’t, since the products aren’t secure.

You might like to know what security vendors landed on the naughty list over a three-month period, other than a general name-shame-blame pointed at vendors such as AlienVault, IBM, Juniper, McAfee, Palo Alto and Splunk. Flexera didn’t actually call the list of top 20 most vulnerable products the naughty list; instead, the company explained:

The Top 20 are the 20 products with the most vulnerabilities in the specified month, out of the more than 50,000 products verified by Secunia Research, and recorded in the Vulnerability Database.

Flexera Software's top 20 vulnerabilities in August & Sept 2016
Flexera Software's top 20 vulnerabilities in Oct 2016

No one would be shocked to see products such as Adobe Flash, Windows or Oracle on a most-vulnerable list, but OS X made the list, too.

Out of the 46 most vulnerability-riddled products over a three-month period, five were web browsers: Apple Safari, Avant Browser, Cyberfox, Google Chrome and Mozilla Firefox. Three were related to PDFs: Adobe Reader, Adobe Acrobat and Foxit Phantom PDF.

“Open source components constitute as much as 50 percent of the global code base,” said Flexera’s Jeff Luszcz. “And, as the Heartbleed open source vulnerability reminds us, vulnerable open source components built into software products can cause global disruption if they are not discovered and patched prior to delivering software products to customers.”

Internet of Things (IoT) manufacturers also “routinely use open source components within their software code,” Luszcz said. “Every software and IoT producer must understand these risks and leverage technology to automate open source component scanning, governance and vulnerability management.”

New Mirai variant used in global attack

Speaking of IoT vulnerabilities, it would be remiss not to mention the new Mirai variant that whacked Deutsche Telekom routers and caused an outage that affected 900,000 customers since Sunday. Attackers modified the Mirai code so it would also seek out devices that leave port 7547 open to outside connections and then abuse TR-069 and TR-064 protocols.

The attackers were crafty, but perhaps it’s not rocket science.

Jeremiah Grossman, chief of security strategy at SentinelOne, said via email: “The vulnerability itself is extremely common—essentially, it's a remote OS command execution, which has been listed for many years on the OWASP Top 10 and CWE Top 25 lists.”

In early November, thousands of modems were regarded as vulnerable to a Metasploit module with proof-of-concept code that would allow an attacker to take control of broadband modems. In the words of BadCyber researchers, “It looks like someone decided to weaponize it and create an internet worm based on Mirai code.”

Although nearly 1 million German customers were affected, Deutsche Telekom security executive Dirk Backofen told Reuters, “It was a global attack against all kinds of devices.”

According to a researcher from Xiphos Research, there are “48 devices vulnerable to the main TR-064/TR-069 issue.” A little later, he tweeted:

TR-064 vulnerability scan Bobby 'Tables

Deutsche Telekom started pushing out fixes almost immediately. Grossman remarked:

A couple of things strike me as odd. The software patch was made available to customers extraordinarily fast. It was almost as if the vendor already knew about the vulnerability, had the patch ready to go, but for some reason was waiting on making it available ahead of the wide-scale exploitation. Perhaps the company was waiting on a few more features to include before distribution—and the exploitation incident caught them by surprise.

Secondly, it would also seem that the ISP could have added temporary network security controls (port blocking) to prevent compromise for those who haven’t yet patched—or might never. Getting home users to patch their routers is challenging, and frankly, most of them simply won’t.

“Wide scale attacks on home routers have become more common in recent years,” Grossman added, “and we shouldn’t expect that this will be an isolated case.”

Sadly, as Flexera’s report indicated, despite spending thousands of dollars, you also shouldn’t necessarily count on your security products to be secure enough at all times to protect you due to flawed third-party and open-source components and libraries.

Copyright © 2016 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.