‘Security’ Software Wrecking Your Security Is the Ultimate Irony

July 2, 2016, 5:09 PM UTC
An Iraqi soldier is reflected on broken
Baghdad, IRAQ: An Iraqi soldier is reflected on broken car shield glass at the site where a bomb exploded in kazemiya district north of Baghdad 29 May 2006. At least 39 people were killed today in a bloody explosion of violence across Iraq , including a spate of bombings against buses carrying people to work. The attacks underlined the parlous security situation in Iraq as agreement on the key defense and interior ministries remained elusive despite the formation of a new government on May 20, five months after national elections. AFP PHOTO/KARIM SAHIB (Photo credit should read KARIM SAHIB/AFP/Getty Images)
Karim Sahib—AFP via Getty Images

A version of this post titled “Symantec’s security quicksand” originally appeared in the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter.

If there’s anything more ironic than security software destroying one’s security, I am at a loss to offer examples.

Earlier this week Tavis Ormandy, a security researcher at Google (GOOG), discovered critical vulnerabilities in the entire suite of Symantec antivirus software. The aging giant’s 17 enterprise products and eight Norton consumer and small business products all contained severe flaws. So severe that, taken together, a hacker could exploit them to hijack a customer’s machine—or worse, “easily compromise an entire enterprise fleet,” as he wrote. That bad, yes.

Worse still, Ormandy noted that the vulnerabilities were “wormable”—meaning self-replicable. An attacker could fully take control of computers just by sending an email or link, without requiring any victim to open or click it. The infections could spread like a toxic miasma. (Good luck holding your breath.)

For more on hacking, watch:

If you think this news reflects poorly on Symantec (SYMC) (it does), you’re missing the bigger point. Ormandy, a Boba Fett-level computer bug bounty hunter, has uncovered vulnerabilities of all shapes and sizes in software sold by cybersecurity companies ranging from FireEye (FEYE) to Kaspersky to Intel (INTC) Security’s McAfee to Trend Micro (TMICY). Rather, what Ormandy’s findings show are this: A flagrant disregard on the part of security vendors for securing their own code.

Perhaps that’s unfair. These companies do try to lock down their software, no doubt. Their livelihoods are predicated on the notion of selling security, after all. Yet when something goes this wrong, it’s worth taking a long hard look in the mirror and initiating a thorough code review.

Blast shields should not explode in your face.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward