May 29, 2006
Researchers in the antivirus industry have long boasted an incredible amount of cooperation between vendors to ensure all respective customers gain rapid protection against newly discovered threats. But the marketing departments are sometimes another story. Case in point: the recently discovered vulnerability affecting certain Symantec products became an immediate ‘press sensation’ for rabid marketeers at Panda Software.
An incendiary pitch
Someone using the name “Ryan Sherstobitoff; Technical Engineer” (which actually ‘Replied To’ sales@pandasoftware.com) sent out an email with a subject line that screamed, “ONLY SYMANTEC USERS SHOULD READ THIS.” The body of the email makes such claims as, “Symantec AntiVirus Worm Hole Puts Millions at Risk”, “debilitating worm attack”, and “remote hackers to take complete control of the target machine ‘without any user action’.” The email then goes on to peddle Panda Software as the "ideal security solution".
So let’s get the facts straight.
On May 26th, Symantec acknowledged a vulnerability involving a stack overflow in a select few products and affecting very specific versions. Specifically, the impacted products were Symantec AntiVirus Corporate Edition 10.0 and 10.1 and Symantec Client Security 3.0 and 3.1. These are not home user versions, i.e. no other products, including Norton AntiVirus and Norton Internet Security were vulnerable to this flaw. Later that same day, Symantec released IPS signatures to detect and prevent exploit of the flaw until patches could be provided. By the very next day, all patches had been created, tested, and released to users of the affected versions.
Despite Symantec’s responsible disclosure and rapid remediation, the sales department at Panda Software missed no time in marketing the exploit, omitting the fact that the vulnerability was isolated to a small number of products and neglecting to mention that home users were not affected. The Panda marketing email even insinuated that Symantec’s customers should use Panda’s own products to check their systems.
Pot calling the kettle black
Just a few months previous, on November 28, 2005, Panda’s own software was found to be vulnerable to a highly critical flaw that impacted not just a few select versions, but rather impacted nearly their entire product line - including versions for home users. (That list is too long to publish here, see the Juniper advisory for a complete list of impacted products). Panda patched the flaw four days later, on December 2nd, 2005.
Security vulnerabilities can potentially exist in any software, regardless. Mac users aren't immune, Firefox users aren't immune, Symantec users aren't immune, and Panda Software users certainly aren't immune. Rather than mislead consumers with hype, it would be refreshing if antivirus marketing teams embraced the same philosophy as the antivirus researchers - work together to best meet the needs of all customers. Instead, Panda's marketing team sought to exploit the vulnerability for their own profit, using FUD as the sales pitch. For shame.