By Thomas Kristensen
With a mind-blowing detection rate, almost 10 times higher than the nearest competitor, Symantec has beaten eleven other Internet Security Suites by offering a superior detection rate of exploits.
Secunia has tested the ability of twelve different Internet Security Suites to find out what level of protection they offer against 300 exploits targeting vulnerabilities in various high-end, high-profile programs.
So, does this mean that Symantec customers can feel safe surfing the Internet?
By no means!
Even the "high" score from Symantec was disappointing. Symantec detected a mere 64 out of 300 exploits, or less than one-fourth, leaving 236 exploits undetected!
Users don't patch
This, combined with the fact that too few users and companies patch their software, leaves the gates wide open for criminals. Recent statistics based on a nationwide campaign in Denmark show that approx. one-third of all programs installed on Danish PCs lack one or more security patches. These findings are, by and large, applicable to the rest of the world as well.
While we did suspect that the popular security vendors would score quite poorly in detecting exploits, the extremely low detection rate took us by surprise and this really begs the question: Do the customers get their money's worth?
You can find the complete list of exploits and vulnerabilities tested as well as details on which ones were detected and not detected, on the following link:
What is wrong
It is important to understand that once an exploit has been developed for a particular vulnerability, then it is possible to change the payload (e.g keylogger, bot code, remote control software, or other malicious code) at any time, however, the characteristics of what triggers the vulnerability is static.
Based on proper in-depth analysis of the vulnerabilities it is possible to create signatures for these characteristics for each individual vulnerability with a very reliable detection.
Since this isn't the approach taken by the established security vendors providing those twelve Internet Security Suites, one can only hope that these vendors are superior in their ability to create signatures very rapidly for the payload of the various exploits and all the new virus strains that keep coming.
However, even with a very rapid creation of payload-based signatures, all their customers are still left exposed for a considerable amount of time from the point when the criminals start distributing their new payload until it has been "caught", analysed, a signature has been created, the signature has undergone quality assurance testing, the signature is published, and finally downloaded and activated by the security software. This process is lengthy and will in a best case scenario take several of hours.
Determining the characteristics of a vulnerability is somewhat more complicated and takes longer than creating a payload based signature, however, it need only be created once. Often the security vendors can finish their analysis and create a signature in the same time as the criminals can develop an exploit and start their criminal attacks.
What to do
Users and businesses need to take the threat seriously and realise that firewalls and traditional security software, such as that included in Internet Security Suites, isn't sufficient to protect PCs and corporate networks.
Because the security industry can never offer a protection that matches that of a properly patched program, consumers and businesses have to put more effort into patching their programs. If your programs are vulnerable and unpatched, then you're left quite exposed to new attacks.
What makes patching even more attractive is the fact that it is free-of-charge. It only costs the amount of time invested in downloading and installing the patch/update. With tools such as the free Secunia Personal Software Inspector (PSI) and the similar functionality offered by Kaspersky Internet Security 2009 it is very easy to identify the programs that needs patching.