...In a survey of 443 companies and government agencies published last month, the Computer Security Institute found that 64 percent reported malware infections, up from 50 percent the previous year. The financial loss from security breaches was $234,000 on average for each organization...
Often, malware infections are a result of high-tech twists on old-fashioned cons. One scam, involves small U.S.B. flash drives, left in a company parking lot, adorned with the company logo. Curious employees pick them up, put them in their computers and open what looks like an innocuous document. In fact, once run, it is software that collects passwords and other confidential information on a user’s computer and sends it to the attackers. More advanced malware can allow an outsider to completely take over the PC and, from there, explore a company’s network...
Recently, security experts have started seeing malware that surreptitiously switches on a cellphone’s microphone and camera. “It turns a smartphone into a surveillance device,” said Mark D. Rasch, a computer security consultant in Bethesda, Md...
The complexity of software code from different suppliers, as it intermingles in corporate networks and across the Internet, also opens the door to security weaknesses that malware writers exploit..
The software products themselves, they say, are riddled with vulnerabilities — thousands of such flaws are detected each year across the industry.
The long-term answer, some experts assert, lies in setting the software business on a path to becoming a mature industry, with standards, defined responsibilities and liability for security gaps, guided by forceful self-regulation or by the government.
Source (http://www.nytimes.com/2010/01/18/technology/internet/18defend.html?pagewanted=all)
I found the last bit to be rather interesting, in that it is rather fishy that all those vulnerabilities are identified annually and yet they are only fixed belatedly when still newer ones crop up and these firms always seem to be one-step behind supposedly independent/uncoordinated, collegiate/upstart, and few hackers, and the exploitative advantage these firms are generating from new bogeymen of 'cyberterrorists' form relatively backward countries like PRC.
I can see how without any oversight and an obvious vested interest perhaps these security companies may be responsible for 'accidentally leaking' their codes or worser still creating these threats themselves .

Well... it was rather crudely pointed out a few years ago when everyone was all up in arms about the flood of spam that Microsoft and Yahoo stood to profit from it (by charging you for services to block it).

There's a very practical issue with having "forceful self-regulation" or (God forbid) government regulation when it comes to software.

Consider that if I build and manufacture a widget, I basically freeze the widget "as-is" for the purpose of mass production and sale. An independent standards agency can purchase one, perform experiments on it, and assess it. Now, periodically there are change orders and the manufacture of the widget changes. But, by and large, there are tangible, discrete incarnations of the widget that are produced.

Contrast this with software:

I create some piece of software and release it (but not its source code). I issue patches to the software remotely, often customized, on the fly, at the request of a particular customer. Or, perhaps I have a web application for which I perform daily or hourly releases of software. This is more on par with 'manufacturing' a widget where no two are alike and each widget can be remotely altered at the customer's request after the sale. Also, you cannot take the widget apart and see how it's made in any way. It is a black box.

Now, imagine some lumbering government agency trying to impose liability standards. By the time it got around to investigating what went wrong with a widget, there might be zero widgets that look anything like the one that malfunctioned.

Well... it was rather crudely pointed out a few years ago when everyone was all up in arms about the flood of spam that Microsoft and Yahoo stood to profit from it (by charging you for services to block it).

I tend to think that the same companies creating security software are the same ones creating the malware. Maybe I'm just being too cynical. :shrug:

I tend to think that the same companies creating security software are the same ones creating the malware. Maybe I'm just being too cynical. :shrug:

That happens, but not with reputable brands. Where you see that the most is on websites that pop-up something telling you that your computer is infected and that you should download their virus removal doo-dad. When you do, it generally does remove various pieces of spyware, but it also puts its own spyware on there. It's simply ridding itself of its competition.

The more spyware and crap on your machine, the worse it runs and the more likely you are to do something about it. Any purveyor of this sort of crapware prefers a state of affairs where its stuff runs completely under the radar.

Norton, McAffee, et. al. don't produce malware. They'd be quickly exposed and would subsequently go bankrupt.