AV software inadequate protection against exploits

Products fail to detect targeted Office exploits. Faster patching needed.

Research conducted by AV-Test.org has revealed a large and worrying variation in the detection by anti-malware products of Microsoft Office files carrying exploits. Catch rates for anti-virus products range from 96% to just 12.83%.

The tests, published in German magazine PC Welt, analysed the detection of over 800 exploits for vulnerabilities in Microsoft's Office software, many of which were in the public arena but remained unpatched at the time of testing.

The test set included several samples targeting the string of Microsoft Word flaws revealed in the last few months.

The top performers were WebWasher and G DATA's AntiVirusKit 2006, which both caught over 96% of the sample exploits. Close behind were Avira AntiVir and Symantec AntiVirus, also above 90%, while BitDefender, Kaspersky, F-Secure and McAfee products all achieved over 80%.

Catching just over 89% of the sample exploits, G DATA's AntiVirusKit 2007 performed somewhat less well than the previous (2006) version of the product, thanks to a change in one of the scanning engines used.

At the other end of the scale, Grisoft AVG, Panda, CAT Quick Heal and ClamAV were among many scoring below 40%, with VirusBuster bottom of the class on 12.82%.

Call to release patches earlier

With many of today's attacks closely targeted for highly profitable phishing and industrial espionage, and often carried in documents that are commonly used in a business environment, rather than the executables normally associated with malware (and therefore often blocked outright by administrators), the exploitation of such vulnerabilities has become a well-organised industry, and a major problem for network admins and end users worldwide.

Andreas Marx of AV-Test, who ran the tests, criticised Microsoft's record on patching exploits, particularly the company's monthly Patch Tuesday security fix system. With exploits available within days of a vulnerability being discovered, Marx said 'waiting for four or eight more weeks until patches are released makes no sense' and called for Microsoft to release patches earlier.

BitDefender, which did relatively well in the tests, released a separate warning last week that many products, including Microsoft's own Windows Live OneCare, fail to detect exploits using the Word vulnerabilities (OneCare fell in the mid-ground of the AV Test figures, with around 68%). In a press release on the topic, which can be found here, BitDefender CTO Bogdan Dumitru is quoted as saying of Microsoft 'any doubts about the quality and fitness of their security software, or indeed about the company's "commitment to security" should have vanished just about now.'

Microsoft has announced a total of 12 security patches for its latest fix release, due later today, with the long-awaited Word fixes expected to be included in the batch. However, with many businesses requiring strict change control procedures be passed before patches can be rolled out, many will remain vulnerable to exploit attacks for some time, while others may even miss out on updates entirely.

The full results of the AV-Test comparison can be seen (with headings in German) here.

13 February 2007

Tags: del.icio.us digg this