My AntiVirus Killed my PC
In rare circumstances auto-updating software, such as Anti-virus applications, can act as security weaknesses rather than strengths. Recently such a case occurred when the Trend Micro Anti-Virus application had a buggy identification file released. The culprit, version 594 of their virus definitions file, would result in affected Windows PCs slowing down significantly as their CPU usage ramped up to 99%, or greater.
This issue struck late on Friday afternoon, US time, after most personnel had departed for the weekend. This saved a lot of obvious heartache, as there were not as many end users as there otherwise might have been suffering from the slowdown. Unfortunately, however, this meant that a lot of administrators and other technical personnel were scrambling to diagnose, isolate, and repair the issues, costing them their Friday evenings, and into the weekend.
This is a practical example of why a completely homogenous environment, coupled with a lack of proper testing procedures, is a dangerous situation. The danger of completely homogenous environments, in particular those created by a monopoly presence, was elaborated in the now famous White Paper "Cyber Insecurity: The Cost of Monopoly". The paper specifically focussed on the potential for damage caused by the effective monopoly that Microsoft has, and how a 'monoculture', where one software provider, or one software type has absolute dominance, creates a single point of failure for a complex system.
A real world example where a lack of diversification caused a major catastrophe was the Irish Potato Famine of 1845 - 1850. In this case, the Irish farmers were only growing one primary crop, the potato, due to its dense energy storage and the best return per acre for any food available at the time. This also encouraged rapid population growth, as sufficient food was available to support the population density. Initially, airborne fungal spores from North America (via England) infected potato plants around Dublin, then rapidly spread to surrounding areas. As the infection vector was airborne, and the weather conditions were suitable for transmission of the fungus, the Irish potato crop soon failed nationally, and seed stores were destroyed by the fungus. Previous crop failures were limited in reach due to infection vectors being stopped by geography, different failure mechanisms, climate variations and so on. The complete loss of the primary food crop, linked with the exportation of the remaining food crops (cash crops), led to the mass starvation and emigration flows. Modern day equivalents are found in lesser developed countries, where cash crops are the primary agriculture and fluctuations in global demand and price leave countries vulnerable to minor shifts in the market.
Like the potato famine, failing to diversify your systems, or at least failing to properly test, quarantine, and protect against externally introduced material, will result in a single point of failure which can easily bring down whole networks. Not only is this important from an Operating System point of view, but also with the applications being run on them. While cost and effective interoperability concerns will limit the ability to diversify, an effective quarantine and test environment should be in place, before implementing any application on protected networks. Likewise, networks should be protected against external risks.
Several public system failures, particularly in Japan, came about as the result of the incorrect virus definitions file. East Japan Railways were affected by the recent virus definitions file problem, along with Osaka's municipal subway system, when various LANs went offline. A number of Japanese news services and the Tottori Prefectural Government were also affected, along with absentee voting for a number of prefectures.
The lesson to learn here is to always be careful with applications and Operating Systems which automatically update themselves, as they could be the vector for destroying your data or network.
2 May 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.