Joxean Koret, a security researcher from the Singapore-based Coseinc, using a "fuzzer" tool he built himself, found numerous remotely exploitable vulnerabilities in multiple antivirus software products.He published a slide show and demonstrated that AV could be hacked just like any other third party application. The fact that AV engines often use the highest privileges makes the danger only worse. Why? Most antivirus products are installed with top privileges, so finding a bug in them and exploiting it allows an attacker the same top privileges on the victim system.
At the SyScan 360 security conference in Beijing, Koret provided a relatively simple example, explaining that "most antivirus engines update via HTTP only protocols." (i.e. not using HTTPS). Using a man-in-the-middle (MitM) attack, "one can install new files and/or replace existing installation files," which "often translates in completely owning the machine with the AV engine installed as updates are not commonly signed".
Attack Surface
Here are two of his intro slides put into text. He's unfortunately right.
"Fact: installing an application in your computer makes you a bit more vulnerable. You just increased your attack surface. If the application is local: your local attack surface increased. If the application is remote: your remote attack surface increased. If your application runs with the highest privileges, installs kernel drivers, a packet filter and tries to handle anything your computer may do... Your attack surface dramatically increased.
Myths and Reality
Antivirus propaganda: "We make your computer safer with no performance penalty!" and "We protect against unknown zero day attacks!". The Reality is: "AV engines makes your computer more vulnerable with a varying degree of performance penalty." and "The AV engine is as vulnerable to zero day attacks as the applications it tries to protect."
Joxean provides a list with some vulnerabilities he found, it includes heap overflows, remote vulnerabilities, integer overflows, local privilege escalation, as well as command injection possibilities. Ouch.
The list of products with one or more of these glitches includes Avast, Bitdefender, Avira, AVG, Comodo, ClamAV, DrWeb, ESET, F-Prot, F-Secure, Panda, and eScan. To illustrate this problem, InfoWorld just reported on a company called Offensive Security that found three zero-day flaws in Symantec's Endpoint Protection
His conclusions are a bit shocking, you would have expected better from the AV crowd. grim, Developers that need to get their act together and increase the security of their products. Remember Microsoft's Secure Coding initiative from 10 years ago? That's a good example.
Throw Away Antivirus Completely?
No, AV is still part of your defense-in-depth. He has some points, but there are plenty of apps that escalate local privilege. Yes, it's a danger, but other apps have similar risks, even a whitelisting product can have the same problem. Secure coding is a must these days!
The Best Bang For Your Security Budget.
Today, an essential part of your defense-in-depth has to be stepping your users through effective security awareness training. This prevents spear phishing- and ransomware attacks to get through. For a very low cost per user per year you get unlimited training and year-round automated simulated phishing attacks you can send to all users. That is a guaranteed way to get a massive drop in malware infections, and fun to do. You get reports of repeat offenders you can show to management. Find out how affordable this is for your own organization. (Hat Tip to Ionut Ilascu at SoftPedia.)
