The conventional description of anti-virus programs says that they provide a necessary layer of protection, but organizations should start auditing such programs before integrating them on their systems because many of them include serious security problems, according to Joxean Koret, a security researcher at COSEINC, a Singapore-based security firm.
Koret says that anti-virus programs are as vulnerable to attacks as the apps they claim to protect and make for a large threat surface that can make systems more vulnerable to attacks. The researcher recently presented his study results at the SyScan 360 security conference in Beijing this month.
He also explained how he utilized a custom fuzzing suite to uncover remote and exploitable local flaws in 14 of 17 major search engines. The effect solutions include those offered by popular vendors such as AVG, Avira, Avast, Comodo, DrWeb, Bitdefender, F-Prot, F-Secure, ESET and Panda. ESET and Avast patched their software by the time of the presentation.
“Exploiting AV engines is not different to exploiting other client-side applications,” Koret said in his presentation. “They don’t use any special self-protections and rely on anti-exploitation technologies in the OS like ASLR (address space layout randomization) and DEP (data execution prevention); and sometimes they even disable those features.”
The next problem according to Koret is that anti-virus programs are deployed with administrator privileges, which gives them the ability to perform actions such as modifying and removing malicious software and scanning the entire system. So if an anti-virus program is compromised, it could give hackers extensive power to abuse the system on which it was deployed.
“Most antivirus engines run with the highest privileges: root or local system,” Koret said. “If one can find a bug and write an exploit for the AV engine, (s)he just won root or system privileges.”
He also stated that anti-virus programs can have flaws, including zero-day-vulnerabilities, just like another computer program, simply because humans wrote them. For instance, most anti-virus solutions are updated through insecure HTTP connections, and most of the updates are not verified cryptographically.
He argues that it could be easy for would-be hackers to conduct man-in-the-middle attacks by intercepting a program’s HTTP connection, coming between the client machines and the server update, thereby gaining access to the anti-virus programs on enterprise and home PCs.
“Exploiting AV engines is not different to exploiting other client-side applications. They don’t have or offer any special self-protection. They rely on the operating system features (ASLR/DEP) and nothing else and sometimes they even disable such features.”
Koret didn’t report the discovered vulnerabilities to all vendors, because he thinks that vendors should take responsibility to audit the solutions they pick and deploy bug bounty programs to attract independent research.
He also recommended vendors to use programming languages that are safer than C++ and C, not using high privileges when parsing files and network packets because “file parsers written in C/C++ code are very dangerous,” featuring vulnerable code in sandboxes or emulators, removing code for old threats that haven’t been touched in a while, and taking advantage of SSL and digital signatures for updates.
Koret recommends that AV users shouldn’t trust their AV product, adding that if indeed they trust their solution they should always take note of the following:
- 1. The company should not be using highest privileges it can for scanning files and network packets.
- 2. Should take charge of auditing.
- 3. Run dangerous scripts and codes under a virtual machine, an emulator, or in a sandbox.
- 4. Shouldn’t trust their own solutions.
- 5. Finally, should utilize SSL/TLS for updating their solutions and sign all files digitally.
According to the Inquirer, Bitdefender was contacted on the issue. This is what the company spokesman said:
“We have fixed the bugs which he has published proof of concept exploits for, within days of publication. Since the announcement, we have also conducted an internal code audit, fixed a number of other bugs and made changes to our build and QA processes which should result in far sturdier code and prevent similar situations in the future.”
He said that, “We are still not in possession of the list of alleged bugs found by Koret, so we cannot tell if we have fixed them all, or, indeed, even if they are all reproducible.”
F-Secure agreed to the vulnerability:
“We worked together with the researcher to analyze and fix the vulnerabilities,” said an F-Secure spokesperson. “All the vulnerabilities reported to us have been fixed through our normal vulnerability fix process and automatically deployed to our customers. This includes the vulnerabilities reported to us in the Bitdefender engine, which we also use in some of our products.”
The company thanked Koret “for his important work”, and for collaborating with the company’s researchers for improving products. “To our knowledge, the vulnerabilities have never been used to attack our customers.”
“ESET proactively contacted [Koret] to learn more about the issue. ESET resolved the problem and published an update in less than three days.”
“ESET always welcomes researchers who follow responsible disclosure procedures of bugs and issues. While we do everything possible to ensure that products are fault free, sadly no software is perfect.”
AVG is yet to respond to the Inquirer.
Syscan 2014 Breaking Antivirus Software Slide：