Last year a flaw in the way Microsoft applications process JPEG image files caused widespread alarm. The exploits could create a jpeg file formatted to trigger an overflow in a common Windows component and open a command shell on a vulnerable Windows system.
This, in itself, would not be not damaging. It was the fact that it would be a relatively simple step for a knowledgeable remote attacker to then add malicious commands to the script and potentially take full control of vulnerable systems that caused so much concern.
To be at risk, users of Internet Explorer or Outlook had to open a modified JPEG file that triggered the flaw. They also had to have unpatched systems. Human nature meant there was plenty of scope for both conditions to be met and the potential number of victims was enormous. This is just one illustration of how even the most innocuous of applications can become exploited.
Microsoft Office XML files are another example. Even though most users do not store Microsoft Office documents in the XML format it is still necessary to provide protection for Word XML files in case that they could become compromised by some future exploit.
Unfortunately there is unlikely to be an end to new and dangerous exploits for computer systems. Just supposing a really secure new operating system should emerge. It would still take years for the millions of users with old, unpatched operating systems to move over. And it only takes one old virus on one old system to infect a whole network.
In the meantime users trust their antivirus solution to keep them protected. For antivirus vendors dropping old virus signatures is simply not an option. There are virus definitions in our database that cannot run unless the user has MS DOS 3.21 others will only run on Windows 95 but not 2000. Yet we cannot afford to drop protection for past versions of Microsoft so long as there are people still using them.
As the number of computer viruses continues to increase – currently upwards of 100,000 known signatures – antivirus software vendors are the ones being relied on to remain vigilant. Keeping one eye on the past and another on the future means we face a constant battle to keep signature files within manageable proportions.
The antivirus vendor has the additional responsibility to provide the best possible user experience. This too is not without its challenges. Each new iteration of an antivirus product may result in longer scanning times or cause more conflicts with applications. Whether a new version scans faster or slower will vary from one user to another depending on what file formats they use. For example as Open Office gets more popular users need their antivirus products to scan the archive structure in Open Office for viruses. Not every vendor chooses to scan these files by default.
Some vendors opt to pass on the costs of developing new signature files, code refactoring and scanning engine enhancement by making users renew their licence every year. You also have to pay to upgrade whenever a new version comes out.
Each time the software is updated with new signatures places more pressure on the software's storage and scanning capabilities as the signature databases get larger and larger. This is why antivirus companies constantly bring out new versions even when there are no apparent new features – just to keep their solution manageable for end users. This also helps to keep update files small. This makes them quick to download – an important factor during an outbreak when there is so much traffic on the internet.
Antivirus vendors are doing everything possible to ensure users are protected from the very oldest to the very latest viruses. By keeping systems patched with the latest operating system updates and by implementing anti-virus software that updates automatically at regular intervals you can be secure in the knowledge that your antivirus system is maintaining a constant vigil on your behalf.
The author is a partner at AVG.
