It was all over the press. Initially reported by Bleepingcomputer and picked up by sites like Endgadget, they all went gaga over a new technique that allows the bad guys to take over your computer by "turning your antivirus into malware." Here is an example snippet:
"Security researchers from Cybellum have discovered another technique cyber criminals can use to take over your computer. The zero-day attack called DoubleAgent exploits Microsoft's Application Verifier tool, which developers use to detect and fix bugs in their apps.
Developers have to load a DLL into their applications to check them, and Cybellum's researchers found that hackers can use the tool to inject their own DLLs instead of the one Microsoft provides. In fact, the team proved that the technique can be used to hijack anti-virus applications and turn them into malware.
The corrupted app can then be used to take control of computers running any version of Windows from XP to the latest release of Windows 10."
And then they tested some AV apps and sure enough a bunch of them could be exploited this way, but any app on the machine could be treated that way. Some AV companies issued patches and said they had fixed the problem. Some news sites even had a video showing how DoubleAgent "can turn an anti-virus app into a ransomware that encrypts files until you pay up." Yeah, sure.
We're Calling BS
The non-technical press is missing that you need to make registry changes and have admin access to the machine to begin with, so this whole code injection technique is cute, but nothing to write home about. The bad guy already owns the machine! This story is only about using Application Verifier in a post-breach situation.
The only AV company that stood their ground was Symantec and they said the right thing:
"After investigating this issue we confirmed that this PoC does not exploit a product vulnerability within Norton Security. It is an attempt to bypass an installed security product and would require physical access to the machine and admin privileges to be successful. We remain committed to protecting our customers and have developed and deployed additional detection and blocking protections to users in the unlikely event they are targeted."
Good for you Symantec.