To the extent possible, antivirus vendors should run their products with the least privilege, should sandbox sensitive functionality, and should ensure an overall solid secure code maturity, said Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security (RBS).
Since Jan. 1, 2010, some 1,773 vulnerabilities have been reported in security software and devices -- 372 in 2015 -- and the majority of them were exploitable through input manipulation, according to data from RBS.
"Security vendors should be held to higher secure coding standards," Eiram said. "It's embarrassing when basic fuzzing uncovers a slew of vulnerabilities in parsing functionality, which has been a known culprit for years. It's even more embarrassing when said parsing functionality is done with SYSTEM privileges."
For the most part antivirus vendors feel that process sandboxing is not applicable to antivirus products because it would hurt performance. Some claim that they are taking other steps, such as reducing privileges, performing routine security assessments, and developing other technologies that might have the same effect as sandboxing.
Symantec is working to reduce the attack surface of its products and services. Its approach, the company said, is to operate its security components at the lowest privilege level possible to reduce the likelihood of a successful attack.
Effectively addressing vulnerabilities is more complicated than using just one technology, according to Kaspersky Lab. The company implements the technologies it believes will provide the best level of protection to customers. For example, it's using machine learning algorithms to leverage the large amount of security intelligence and knowledge that it acquires.
"Despite the perceived simplicity of the 'sandbox' approach, it has a number of serious drawbacks, affecting performance, efficiency and compatibility," said Kaspersky's Zakorzhevsky.
Intel Security/McAfee said that when it learns of a potential issue, it immediately investigates to determine its validity, nature and severity and to develop a fix.
No one is arguing that antivirus vendors are not fixing flaws fast enough when they are found. In fact, some of them have impressive response times and their products are configured to automatically update themselves by default. The problem is the number and type of flaws that exist in such products in the first place.
Symantec and Intel Security declined to address more specific questions about sandboxing, the likelihood of attacks against antivirus products, the effectiveness of such products in detecting targeted attacks, or other criticism raised by security researchers.
Antivirus vendor Bitdefender said that a sandbox similar to the one provided by Google wouldn't be a viable engineering solution for a security product. "An antimalware solution would have to intercept and sandbox thousands of system events a second, which would bring a dramatic performance impact to the system and which might be greater than what the operating system vendor tolerates."
Sign up for Computerworld eNewsletters.