Billions of antivirus users worldwide are at risk thanks to low hanging vulnerabilities in high-profile security products by vendors which can brag of being awarded a security certification for their product. If you feel comforted by your antivirus vendor’s boast of having a certification from Verizon, then maybe you need to rethink that. Google Project Zero security researcher Tavis Ormandy says the methodology behind Verizon’s certification is “about as ridiculous as you would expect,” but vendors follow the gimpy guideline criteria (pdf), pay the fee to be certified and users tend to view the certification as some sign of excellence to be trusted.Ormandy has been trying to clean up some of the “low hanging vulnerabilities” in high-profile security products. Most recently, he’s been focused on Comodo Antivirus. Ormandy pointed out a few of the “simple” security issues he identified, but it’s not just Comodo; he’s found vulnerabilities in many big name security products such as Malwarebytes, Avast, AVG, FireEye, TrendMicro and more.Whatever you do, don’t ask Ormandy which antivirus should be used as he says that misses the point.Taking Comodo as an example, Ormandy explained that the first vulnerabilities he found required no skill as point-and-click tools can do it. But when he used more advanced skills, he found “hundreds of critical memory corruption flaws” and “even more serious design flaws and logic errors.” And that was without having access to the source code and developer documentation. Meanwhile, as Ormandy is “trying to clean up some of the low hanging fruit that is endangering billions of users worldwide,” Comodo is bragging about having received the “Excellence in Information Security Testing Award” by ICSA Labs which is an independent division of Verizon.Comodo senior VP of engineering Egemen Tas said, “Customers across the globe continue to show great confidence in Comodo’s ability to protect their endpoints and networks from today’s security threats of both the known and unknown kind. This recognition by ISCA Labs is an important third-party validation of Comodo’s leading security capabilities and technologies.” Yet Ormandy said, “These are the meaningless tests that antivirus vendors will actually scramble to pass. Perhaps the first step in improving the situation throughout the industry is making sure these certifications actually test something worthwhile.”Ormandy doesn’t believe the antivirus industry will “make even a token effort” at resolving security issues “unless their hand is forced.” He tossed out a few suggestions such as integrating Microsoft’s Security Development Lifecycle (SDL) verification into the testing process and awarding bonus ranking points to vendors which implement sandboxing.He concluded:Something has to change soon. The next slammer or codered isn’t going to target IIS or MSSQL: the security of Microsoft products is in a different universe than it was a decade ago. All of the major security vendors are using ancient codebases with no awareness of modern security practices, it’s still hacking like it’s 1999. Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe