A version of this post titled “Symantec’s security quicksand” originally appeared in the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter.
If there’s anything more ironic than security software destroying one’s security, I am at a loss to offer examples.
Earlier this week Tavis Ormandy, a security researcher at Google (goog), discovered critical vulnerabilities in the entire suite of Symantec antivirus software. The aging giant’s 17 enterprise products and eight Norton consumer and small business products all contained severe flaws. So severe that, taken together, a hacker could exploit them to hijack a customer’s machine—or worse, “easily compromise an entire enterprise fleet,” as he wrote. That bad, yes.
Worse still, Ormandy noted that the vulnerabilities were “wormable”—meaning self-replicable. An attacker could fully take control of computers just by sending an email or link, without requiring any victim to open or click it. The infections could spread like a toxic miasma. (Good luck holding your breath.)
For more on hacking, watch:
If you think this news reflects poorly on Symantec (symc) (it does), you’re missing the bigger point. Ormandy, a Boba Fett-level computer bug bounty hunter, has uncovered vulnerabilities of all shapes and sizes in software sold by cybersecurity companies ranging from FireEye (feye) to Kaspersky to Intel (intc) Security’s McAfee to Trend Micro (tmicy). Rather, what Ormandy’s findings show are this: A flagrant disregard on the part of security vendors for securing their own code.
Perhaps that’s unfair. These companies do try to lock down their software, no doubt. Their livelihoods are predicated on the notion of selling security, after all. Yet when something goes this wrong, it’s worth taking a long hard look in the mirror and initiating a thorough code review.
Blast shields should not explode in your face.