Hackers are increasingly taking aim at vulnerabilities in security products rather than operating systems, according to a new report.
Entitled Fear and Loathing in Las Vegas: The Hackers Turn Pro, the report accuses security vendors of being unready to deal with the rising tide of vulnerabilities affecting their products.
"It is time for the security vendors to stand up and make their own products more secure before they become preferred conduits for professionally designed malware," said Andrew Jaquith, Security Solutions & Services senior analyst at Yankee Group.
In a 15 month period up to March 2005, security vendors reported 77 separate vulnerabilities. The report said the rate of discovery of flaws in security products increased significantly faster than the rate for products by Microsoft. SC Magazine has reported many of the flaws affecting security products including; CA, McAfee, and Trend Micro. Jaquith said finding flaws in security product could prove more lucrative for hackers.
"Security researchers - whether they wear white, gray or black hats - are increasingly less interested in poking holes in desktop operating systems," he said. "A more fascinating and profitable area exists in finding vulnerabilities in the products meant to defend against the attacks themselves."
Writing in next month's SC Magazine, global technology editor Jon Tullett said no one should be surprised that there are flaws in many security products.
"Security products are being produced under enormous strain," said Tullett. "Rushed software tends to cut a QA corner or two, and this is a chief cause of vulnerabilities."
He added security products tend to operate at a high level of privilege as they required intimate access to networks, databases, operating systems and third-party products. "Exploits will be likely to expose very valuable systems, and so are naturally attractive to attackers."
He urged vendors to overhaul their development practices and their customers to be more careful when purchasing products.