A vulnerability has been revealed in several major anti-virus products. The Israel-based cyber-security startup enSilo recently showed how AVG Internet Security 2015, McAfee VirusScan Enterprise version 8.8 and Kaspersky Total Security 2015 were all vulnerable to the same flaw.
These giants of the enterprise antivirus software game were all subject to the same coding issue. The softwares would allocate memory for read and write, as well as execute permissions with an address that an attacker could easily predict and then proceed to inject code into the target system.
enSilo originally found the vulnerability in AVG in March 2015, while at the website of a customer. Tomer Bitton, vice president of research at enSilo, wrote in a recent blog post, “The enSilo product alerted on a product collision with AVG, also installed in the customer's environment. A follow-up investigation conducted by our researchers revealed a flaw in AVG.”
The flaw would allow an attacker to exploit old vulnerabilities in a third-party application “in order to compromise the underlying Windows system”.
When Bitton spoke to SCMagazineUK.com, he described what he saw as the essential problem: “The anti-virus companies adopted a coding malpractice which essentially defeats Windows' mitigations against application exploitation.” This meant that the anti-virus products could conceivably become an “attacker's vehicle into taking complete control of the underlying Windows system”.
Bitton said that Microsoft is aware that applications often have vulnerabilities which can be used as gateways to attack the underlying Windows system. So, Microsoft puts in mitigation measures like Data Execution Prevention which stops attackers executing data as if it were code, or Address Space Layout Randomization (ASLR) which mixes up the the address space layout to prevent attackers from guessing too accurately where they could exploit a vulnerability.
But the anti-virus companies “located memory regions in predictable addresses – and gave them read, write and execute (RWX) permissions. By allocating memory in such a way, they rendered Microsoft's mitigations useless.”
enSilo has released a tool for the worried consumer, found here, to see if the vulnerability is there. Bitton told SC that the problem probably is not isolated to anti-virus software: “Due to the prevalence of this issue in anti-virus products, we can assume that this issue is replicated across other intrusive applications.”
There have been no recorded instances of this vulnerability in the wild but that doesn't mean it's just theoretical. Tavis Ormandy, also known as ‘the notorious Tavis Ormandy', a researcher at Google's Project Zero, found a very similar vulnerability earlier this year wherein an attacker could gain access to the computer's underlying system via the mere functioning of the antivirus software.
While AVG did not respond for comment, Kaspersky released a statement to SC saying that the vulnerability disclosed by enSilo had been fixed in the September auto-updated patch. “The vulnerability couldn't be exploited by itself with code execution and privilege escalation, but could have simplified the exploitation of 3rd party application vulnerabilities, such as stack based buffer-overflow,” it said.
The company added, “Kaspersky Lab takes all necessary measures to provide our users with reliable, high-quality, real-time protection from cyber-threats. Moreover, we have always valued the efforts of independent researchers that allow us to make our products better and offer better protection for our customers."
McAfee also commented that, "Intel Security takes the integrity of our products very seriously. Upon learning of this particular issue, we quickly evaluated the researchers' claims and took action to develop and distribute a solution addressing it. This solution was distributed to customers in a patch on August 26, 2015. We are not aware of any customers targeted with an exploit of the issue in question."