Statistically, a better question than that headline would be: “Did you bother to install anti-virus software?” Given the high percentage of tech users who readily admit they don’t have any software or have not installed an update since purchasing their original title, that’s a scary but valid point. But it might be less of a nagging threat than the industry has claimed all along, considering the high number of wide-open vulnerabilities in a lot of the major names in AV.
Unfortunately, one of the most widely recognized names in AV software–Symantec, creators of the Norton line of products and many others–is the subject of a recent security reveal by Google security researcher Tavis Ormandy, who uncovered frightening flaws in more than seventeen of Symantec’s products. The flaws include everything from overlooked pieces of code to “you guys should have known better”-sized holes in the kernel.
According to Ormandy’s post about the flaws, “These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption. As Symantec use the same core engine across their entire product line, all Symantec and Norton branded antivirus products are affected by these vulnerabilities.”
As bad as it gets? That’s hardly a ringing endorsement for a security product. But what are the implications for a company whose security product isn’t as secure as consumers and major businesses thought?
It’s no secret that data breaches have been setting new records every year since agencies like the Identity Theft Resource Center first began tracking them. It begs the question: how many of the major data breaches have involved retailers who thought they were fully protected, whether by Symantec or any other competitor’s product. As such, this news can have implications across several industries. While some companies were found to be clearly at fault for their own mess–like the third-party HVAC contractor whose employee downloaded a virus in a phishing email that ended up infecting Target, Inc., resulting in the loss of credit card information for tens of millions of the retailer’s customers–still other breaches have yet to be explained. If company’s think they’re doing all they can to secure their data based on the protections they put in place, can they be held accountable for the damage if those protections were flawed?