This week, Google security researcher Tavis Ormandy announced that he’d found numerous critical vulnerabilities in Symantec’s entire suite of anti-virus products. That’s 17 Symantec enterprise products in all, and eight Norton consumer and small-business products. The worst thing about Symantec’s woes? They’re just the latest in a long string of serious vulnerabilities uncovered in security software.

Some of Symantec’s flaws are basic, and should have been caught by the company during code development and review. But others are far more serious, and would allow an attacker to gain remote-code execution on a machine, a hacker’s dream. One particularly devastating flaw could be exploited with a worm. Just by “emailing a file to a victim or sending them a link to an exploit ... the victim does not need to open the file or interact with it in anyway,” Ormandy wrote in a blog post Tuesday, further noting that such an attack could "easily compromise an entire enterprise fleet."

It gets worse. The flaw exists in an unpacker Symantec uses to examine compressed executable files it thinks might be malicious. So the vulnerability would let attackers subvert the unpacker to take control of a victim’s machine. Essentially, a core component Symantec uses to detect malware could be used by intruders to aid their assault.

"These vulnerabilities are as bad as it gets," Ormandy wrote. He would know. Ormandy has previously discovered serious flaws in products belonging to a string of high-profile security shops like FireEye, Kaspersky Lab, McAfee, Sophos, and Trend Micro. In some cases, the flaws only allowed an attacker to bypass antivirus scanners or undermine the integrity of detection systems. But in others, like this Symantec scenario, they turned the security software into an attack vector for intruders to seize control of a victim’s system.

This isn’t the way it’s supposed to be. Security software tasked with protecting our critical systems and data shouldn’t also be the biggest vulnerability and liability present in those systems. Ormandy has criticized the antivirus industry for years for failing to secure its own software, and for failing to open their code to security professionals to audit for vulnerabilities.

It's a serious problem, though it's unclear how actively hackers exploit these vulnerabilities. "[W]e don't have perfect visibility into what attackers are doing," Ormandy wrote in an email to WIRED. "We do have good evidence that antivirus exploits are bought and sold on the black and grey markets, but we rarely find out what the buyers use them for."

Computing’s Soft Underbelly

Security software is an ideal target for attackers because it’s trusted code that operates with high levels of privilege on machines, giving attackers a great advantage if they can subvert it. In many cases, the same software can be running on every desktop or laptop machine on an organization’s network, exposing a large attack surface to compromise if the software contains vulnerabilities. And that’s just antivirus code. Other security software, such as intrusion detection systems and firewalls, are even juicier targets, says Chris Wysopal, CTO of Veracode. They’re in a prime spot on an organization’s network, connecting to a lot of important machines, and accessing most of the data traffic that crosses it.

Because of this, Wysopal says that security vendors should be held to a higher standard than the makers of other software. Yet aside from Ormandy, few security researchers have examined these systems for vulnerabilities. They've focused instead on finding vulnerabilities in operating system software and applications, while ignoring the software that purports to keep us secure.

Wysopal suggests security researchers may overlook security software because they’re too close to the problem. Many in this line of work are employed by other security firms, he says, “and they’re not going to attack their own. Maybe it doesn’t look good for a Symantec researcher to be publishing a flaw in McAfee.”

Ormandy says it's more likely a matter of skill sets. Most security professionals employed by companies reverse-engineer malware, not dig through code for vulnerabilities.

"I think the set of skills needed to understand vulnerabilities is entirely different than the skills and training necessary to analyze malware—even though they're both considered security disciplines," he told WIRED. "So, it's entirely possible to be a competent malware analyst without understanding secure development."

That still doesn’t explain why the security firms who put out the flawed products Ormandy exposed haven’t given their products more scrutiny themselves.

Wysopal, whose company performs static analysis of software code to uncover vulnerabilities, attributes the lapses to security firms hiring developers that have no special training in writing secure code.

“There’s this assumption that if you work at a security software company, you must know a lot about security, and it’s just not true,” he says. “Security software companies aren’t getting specially trained developers that know about good coding [or are] better at preventing buffer overflows than your average engineer.”

Another issue is the language in which security software is written. Much of it, Wysopal notes, is written in C and C++—programming languages that are more prone to common vulnerabilities like buffer overflows and integer overflows. Companies use them because the security software has to interact with operating systems that are written in the same languages. Security software also performs complex parsing of files and other operations, which can make writing it more difficult and more prone to error.

Those restrictions and complications shouldn't let security firms off the hook, Wysopal says.

“If you have to use a riskier language, that would mean you’re going to have to spend more time on testing and code review to get it right,” he says. Fuzzing, for example, is an automated technique used by both security researchers and attackers to find vulnerabilities in software. But the security firms Ormandy has exposed don’t appear to have fuzzed their code to uncover flaws.

“Sometimes you look at a bug and there’s no way an automated tool could have found this; someone would have to really pore over code intensely [to find it],” says Wysopal. “But a lot of these issues could have been found with automated fuzzing, and it’s not clear why those weren’t found [by the companies on their own].”

In some cases the security software in question may be legacy code written years ago when fuzzing and other modern techniques for uncovering vulnerabilities weren’t used. But Wysopal says now that such techniques are available, companies should use them to review old code. “Once new testing tools come out that security researchers use and attackers use, you have to start using those tools too,” he says. “It doesn’t matter if it’s just an old code base that you wrote or you acquired, you can’t let your security process remain stagnant.”

But Ormandy says the problems with security software go beyond merely lapses in coding and code review. He says many of these programs are insecure by design.

"I think the problem is that antivirus vendors have rarely adopted the principle of least privilege, [which] refers to limiting privilege to the highest-risk portions of software functionality so that if something goes wrong the whole system isn't necessarily compromised," Ormandy says.

Unfortunately, antivirus scanners need to have high privileges in order to insert themselves into every part of the system and see what documents you're opening, what's in the emails you receive, and what web pages you're visiting, he says. "[F]etching that information is a small and tractable problem, but they don't just fetch it and pass it to an unprivileged process to analyze—they do everything at the same privilege level."

To its credit, Symantec promptly fixed the vulnerabilities Ormandy uncovered, and produced automated patches for customers to apply in cases where that was feasible. But this doesn’t mean its software is now error-free.

Wysopal says for security companies like Symantec to regain the trust of customers, they have to do more than just release patches. They have to commit to changing the way they operate.

When Target suffered a massive breach in 2013, Wysopal says "we saw other big retailers say we’re going to be next, so let's understand what Target could have done to prevent this and let's do that too. I don’t really see that so far with security vendors, and I’m not quite sure why."

Ormandy says he has spoken with some of these vendors who have committed to hiring external consultants to help them improve the security of their code going forward. "[T]hey simply didn't understand they had a problem until it was pointed out to them." Which may be the biggest problem of all.