AV engines are riddled with exploitable bugs
Posted on 29.07.2014
A security researcher has found a great number of exploitable vulnerabilities in popular security solutions and the AV engines they use, proving not only that AV engines are as vulnerable to zero day attacks as the applications they try to protect, but can also lower the operating system's exploit mitigations.


"Installing an application in your computer makes you a bit more vulnerable," says Joxean Koret, a researcher with Singapore-based Coseinc, and that is equally true for AV solutions.

Wielding a custom developed fuzzing testing suite against all the AV engines he could find, he unearthed dozens of remotely exploitable vulnerabilities. He tested the engines used by BitDefender, Comodo, F-Prot, F-Secure, Avast, ClamAV, AVG.

Almost all engines written in C and/or C++, which opens the door for attackers to discover and leverage buffer and integer overflow bugs. Also, most of them install OS drivers, which could allow attacker to perform escalation of privilege.

"Most (if not all...) antivirus engines run with the highest privileges: root or local system," he noted. "If one can find a bug and write an exploit for the AV engine, (s)he just won root or system privileges."

Finally, most AVs get updates via HTTP only protocols, which could lead to man-in-the-middle attacks that deliver malware instead of updates.

"Exploiting AV engines is not different to exploiting other client-side applications," he noted. "They don't offer any special self-protection. They rely on the operating system features (ASLR/DEP) and nothing else. And sometimes they even disable such features."

A lot of the vulnerabilities he found and responsibly disclosed to some of the vendors have been fixed, and he shared details of some of these and of how he exploited them with the audience of the SyScan 360 security conference held in Beijing two weeks ago.

He offered several recommendation for AV users - don't trust your AV product, audit the AV engine, isolate machines with AV engines used for gateways, network inspection, and so on - but the bulk of his advice was directed at AV companies:
  • Don't use the highest privileges possible for scanning network packets and files
  • Audit your products, establish a bug bounty program
  • Run dangerous code under an emulator, vm, or in a sandbox
  • Don't trust your own processes
  • Use SSL/TLS for updating your product, digitally sign all files
  • Drop useless old code.

    For more details about the vulnerabilities and the exploits, you can check out Koret's presentation slides.









Spotlight

New Zeus variant targets users of 150 banks

Posted on 19 December 2014.  |  A new variant of the infamous Zeus banking and information-stealing Trojan has been created to target the users of over 150 different banks and 20 payment systems in 15 countries, including the UK, the US, Russia, Spain and Japan.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Mon, Dec 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //