Skip Links

NSS Labs: Testing shows most AV suites fail against exploits

Many vendors fail to develop further signatures to guard against different exploits that use the same vulnerability

By Jeremy Kirk, IDG News Service
August 17, 2010 09:40 AM ET

IDG News Service - A majority of security software suites still fail to detect attacks on PCs even after the style of attack has been known for some time, underscoring how cybercriminals still have the upper hand.

NSS Labs, which conducts tests of security software suites, tested how security packages from 10 major companies detect so-called "client-side exploits." In such incidents a hacker attacks a vulnerability in software such as Web browsers, browser plug-ins or desktop applications such as Adobe Acrobat and Flash.

NSS Labs is an independent security software company that unlike many other testing companies does not accept vendor money for performing comparative evaluations. Vendors are notified, however, and are allowed to make some configuration changes before NSS Labs' evaluation.

"This test -- the first of its kind in the industry -- was designed to identify how effective the most popular corporate endpoint products are at protecting against exploits," according to the report. "All of the vulnerabilities exploited during this test had been publicly available for months (if not years) prior to the test, and had also been observed in real attacks on real companies."

The attacks are often done by tricking a user into visiting a hostile Web site that delivers an exploit, or a specially crafted code sequence that unlocks a vulnerability in a software application, according to the NSS Labs report.

There can be different variants of exploits that attack the same vulnerability but target different parts of a computer's memory. Security vendors frequently add signatures to their databases that enable the software to detect specific exploits, but those exploits may evolve.

"A vendor may develop a signature for the initial exploit with the intent to later deliver subsequent signatures," the report said. "Our testing has revealed that most vendors do not take these important additional steps."

Only one of the 10 software suites tested detected all 123 exploits and variants, which were designed to attack vulnerabilities in software such as Microsoft's Internet Explorer browser, Firefox, Adobe Acrobat, Apple's QuickTime and others.

The 10 software suites scored vastly different, with one catching all of the exploits at the top end and 29 percent at the low end.

NSS Labs said the average protective score was 76 percent among the 10 suites for "original exploits," or the first exploit to be made publicly against a particular software vulnerability. Three of the 10 caught all original exploits. For variant exploits, the average protective score was 58 percent.

"Based on market share, between 70 to 75 percent of the market is under protected," the report said. "Keeping AV software up-to-date does not yield adequate protection against exploits, as evidence by coverage gaps for vulnerabilities several years old."

NSS Labs president, Rick Moy, said all of the vulnerabilities are "low-hanging fruit." Information on the vulnerabilities has been available in some cases since 2006, which means the hackers all know the problems and the exploits are still being used.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News