Many antivirus suites are incapable of effectively blocking malware attacks against two recent and serious Microsoft vulnerabilities despite the fact that real exploits have been circulating since June, testing organisation NSS Labs has found.
The firm looked at the ability of 13 antivirus suites to defend unpatched systems against attacks exploiting vulnerabilities in Microsoft’s XML Core Services (CVE-2012-1889) and in Internet Explorer 8.0 (CVE-2012-1875), both made public in June.
Despite the fact that both were patched in June and July and should be on the radar of antivirus companies, only four products – from Trend Micro, Kaspersky Lab, McAfee and Avast - were able to offer full protection against the test exploits NSS Labs crafted to use against the vulnerabilities.
The rest were able to offer a degree of protection that depended on how the attacks were executed and which vulnerability was being tested.
Some products struggled when attacks were delivered over HTTP while a further several were unable to cope when attacks were executed via HTTPS, such as would be the case when using services such as Gmail. These included, ironically, Microsoft’s own Security Essentials itself.
Beyond the generally mediocre performance of some products, there seem to be two issues raised by NSS Labs’ findings.
First, users shouldn’t assume that antivirus offers strong protection for unpatched systems. If a vulnerability is in the public domain and no patch is available (or is available but hasn’t been applied), a system is open to attack regardless of what antivirus software is defending the endpoint.
Second, malware writers probably pay attention to the strengths and weaknesses of antivirus software just as much as testers do, especially individual products. If a product has a particular type of weakness, however short-term, that will have been noticed.
“The combinations of failures and successes are dramatic and necessitate further research. It is clear that many of the products are not blocking exploits,” the researchers conclude.
Antivirus firms will doubtless point out that the attacks were crafted in the lab, that the the vulnerabilities chosen were fairly recent, and that only two were looked at. Making judgements on the basis of such a narrowly-defined test offers only one indication among a number.
"The test is not designed to be a comprehensive buyer's guide, but rather to give an idea of why it is important to test products against a variety of protocols and types of attacks," said NSS Labs' research director, Randy Abrams.
The HTTPS test was a particularly important measurement, he said.
"It is not possible for security products to detect attacks in encrypted (HTTPS) streams without decrypting the traffic. As a result cybercriminals are attacking with exploits and malware that hide in the encrypted streams. The ability to decrypt and scan the https traffic is an essential component of protection."
The full results can be obtained from NSS Labs website (registration required).