Over the last few years, the rise in cyberattacks using sophisticated malware has been on the rise. From general computer users to government agencies, educational institutes, companies and research centers, all have been targeted.
The only way, it seemed, to thwart malware attack was by using an antivirus or anti-malware software that could detect and prevent from such computer viruses. But as per a recent report, every major anti-malware solution has security flaws in them that can be exploited, rendering them ineffective.
According to CyberArk, a cybersecurity firm, it tested offerings from McAfee, Kaspersky, Symantec, Fortinet, Checkpoint, Trend Micro, Avira, Avast and F-Secure besides Microsoft and found significant security issues that can be abused by hackers to gain a foothold in a system and elevated privilege.
Privilege Manipulation
It's ironic that an anti-malware solution can be abused to attack a system. CyberArk during its research found that at least one software in every Windows system is vulnerable and could be abused via file manipulation attack and it would give the hacker an elevated privilege.
CyberArk's cybersecurity researcher, Eran Shimony, who identified the flaws, found that incorrect use of system resources with privileged access was a major problem for all antivirus solutions. To put that to test, CyberArk looked into Avira antivirus software. Its two processes write to the same log file. CyberArk researchers could redirect the write operation to any filed through a symbolic link attack.
However, Avira wasn't the only software that was vulnerable to symlink attacks. In 99 percent of the cases, the privileged process didn't change the Discretionary Access Control List (DACL) of the existing directory.
It means that the vulnerability could be abused to trick privileged application target a different every time it does a read, write or delete. "This allows us to alter the content of protected files, like those being used by the operating system," he says.
DLL Hijacking
The other area of concern is potential DLL hijacking where a hacker can load a malicious file in a privileged process. Shimony said that vendors failed to prevent security apps with privileged access from loading DLLs without verifying their digital signature. "By doing that we were able to run code inside the DLLMain function, which is then executed immediately after loading the DLL, allowing for a code execution inside a privileged application," he said.
The cybersecurity researcher also said that if antivirus vendors changed the way applications load DLLs, the problem could be mitigated. He advised absolute paths or to enforce digital signatures.
However, most of the problems that Shimony mentioned need an attacker to gain physical access to a system to exploit them. Thus, the threat level is not critical while remote executions are labeled with the highest severity. Kaspersky told Dark Reading that the vulnerabilities could only be exploited by a hacker with authenticated access while installing the antivirus solution.
Trend Micro's Director of Global Threat Communications, Jon Clay, said that since physical access was necessary for exploiting the vulnerabilities, it would not be easy and that was the reason a medium-severity rating was given to the bugs. He added that the company had already patched the bugs.
Both Kaspersky and Trend Micro urged users to install the latest versions of the antivirus for better security.