Several independent security researchers reported this past week that security software from Orange/France Telecom, developed to protect consumers from the negative impacts of peer to peer software, in actuality weakened the security of the computer it was installed on.
This case has been of particular interest to the press and blogging communities in France because the service was created in response to HADOPI—the controversial French legislation aimed at protecting copyrighted materials on the Internet.
The researchers state that the software “enables the bypass of existing protections and permitted an unprivileged user or process to execute arbitrary commands at full privilege – essentially creating a vector for system compromise.
If true, it is ironic that a service aimed to improve the security posture of its users could have resulted in the opposite effect, yet it is certainly not unusual. We have seen many cases, where in the development of software, security flaws have been introduced, and we will continue to see such incidents in the future, unless Secure Programming Standards are incorporated into the software development lifecycle.
The “controle du telechargement” software from Orange/France Telecom, which cost Ã¢â€šÂ¬2 per month, is no longer available to purchase but this is yet another example of how important it is to recognize the potential impact on your overall security stance when choosing to deploy new software. Organizations and individual computer users implementing software of any kind should always take steps to ensure that the product performs the intended task without negatively impacting their overall security posture.
Incorporating Secure Programming Standards into one’s product development must also be a top-line priority for those producing and distributing software. If organizations and individual computer users are to successfully defend against the barrage of current and emerging cyber threats, producers and distributors must consider the overall security environment during the design and implementation of their products. This is of course especially true in the case of software intended to address a security concern.