Anti-virus vendors in scrap over flaws

Security company ISS has publicly blasted rival Trend Micro for not patching reported bugs in its enterprise-grade, server-side anti-virus software.

David Dewey, a researcher with IBM-owned ISS, explained why his company had released several advisories that covered multiple vulnerabilities in Trend Micro's ServerProtect software, even though according to IBM, Trend has not fixed the flaws.

X-Force, the research arm of IBM's security group, reported the first bugs to Trend two years ago, said Dewey, and followed up with additional vulnerability reports through January 2008. But Trend's response was unsatisfactory. "Each time, Trend would assure us that fixes would be provided in the next scheduled patch," he said in a post to the X-Force blog. "We have worked with them through four security patches, and in all cases, the reported vulnerabilities were ignored or the solution they implemented was inadequate."

One fix Trend released, Dewey said, was "easily evaded in a matter of minutes after installation of the patch."

When X-Force got nowhere by working with Trend Micro direct, it instead tried to coordinate with its competitor through CERT/CC (Computer Emergency Response Team Coordination Center) and JPCERT, Japan's CERT group. Trend Micro is headquartered in Tokyo.

Even that, however, didn't work, Dewey claimed. "They responded to each of those organisations the same way they did to us, which was to dismiss true problem resolution and try to indicate their workarounds were sufficient to consider the issues addressed," he said.

X-Force essentially tossed in the towel. "It is apparent that we have reached a crossroads with Trend," Dewey said, "where they are unable or unwilling to sufficiently patch these eight critical vulnerabilities reported by X-Force. At this point, I feel it is important to let our customers know about the inherent and abundant security risks of running TrendMicro ServerProtect."

The company has posted four advisories that sketched out only the vaguest details about the eight vulnerabilities X-Force says it has found in ServerProtect, an anti-virus program that runs on Windows, Linux and Netware. Unlike traditional advisories, which are usually issued only after a patch is available, X-Force's omitted the kind of technical details that might give hackers clues on finding and exploiting the bugs.

A security researcher and an industry analyst both said X-Force's public chastising of Trend is unusual.

"Generally, the industry bands together and prefers not to speak poorly about others," said Andrew Storms, director of security operations at security vendor nCircle Network Security. "Although what gets said in sales meetings isn't always so full of rainbows."

"It is kind of unusual," said John Pescatore, analyst and research fellow with Gartner. "It's definitely the norm these days that security firms find vulnerabilities in each other's products, and X-Force has been one of the leaders in the last three or four years. And it looks like they followed responsible disclosure, gave Trend plenty of warning."

But in some ways, Pescatore said, X-Force broke an unspoken rule. "They definitely compete with each other," he said, referring to ISS and Trend Micro. "Does the blog post warn users of the danger? That's what the vulnerability advisories are for. Would X-Force do the same thing if it found bugs in IBM's WebSphere? If IBM didn't patch fast enough or the patches didn't work too well, would they be blogging that, 'We've had it with IBM'?"

A spokeswoman for Trend Micro, meanwhile, responded to a call for comment by saying "Trend Micro has already issued security patches for ServerProtect," and ticking off a pair of updates issued in March and May of this year. She declined to answer any additional questions about X-Force's allegations, however.

In Pescatore's eyes, X-Force went too far. "If Microsoft was to find bugs in Linux and publicise them, we'd all be negative about Microsoft," he said. "Come on, take the high road."