We all trust our Anti Virus to be prim and proper and keep our computers safe from any virus/trojans/worms etc. But what happens when the engine that runs the Anti Virus itself has severe exploitable vulnerabilities. As per a report published in The Inquirer Net, Joxean Koret, a Security Researcher has claimed to have found exploitable flaws in 14 major anti-virus (AV) engines used by some of the world’s largest security vendors like Bitdefender, ESet, AVG and F-Secure.
Joxean Koret, who works for a Singapore-based consultancy COSEINC, who spoke at the Syscan 360 security conference in Beijing, China earlier this month about his findings. However the news came out today because the the slides from his presentation became available online only this week. The slides detail how Joxean used a custom fuzzing suite to find bugs in 17 of the major antivirus engines that power antivirus software from firms such as AVG, Bitdefender, ESET and F-Secure.
Joxean said that the bugs he found could expose users to man in the middle (MITM) attacks and said that they are “as vulnerable to zero-day attacks as the applications [they try] to protect”.
MITM attacks are attacks which involve active eavesdropping using a flaw in the Application. Using this flaw, the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when the entire conversations are actually controlled by the attacker.
Koret explained that almost all of the engines he looked at were written in C and/or C++ coding languages, which thus allow attackers to discover and leverage buffer and integer overflow bugs.
“Exploiting AV engines is not different to exploiting other client-side applications,” he said. “They don’t offer any special self-protection. They rely on the operating system features (ASLR/DEP) and nothing else. And sometimes they even disable such features.”
He added that hackers could also perform an escalation of privilege attack, as most of the engines install OS drivers.
“Most antivirus engines run with the highest privileges: root or local system,” he said. “If one can find a bug and write an exploit for the AV engine, (s)he just won root or system privileges.”
Joxean recommended that AV users should not trust their AV product. Joxean added that if indeed they trust their Anti Virus they should always note the following
1. Shouldn’t use the highest privileges possible for scanning network packets and files.
2. Should audit their products.
3. Run dangerous code under an emulator, virtual machine, or in a sandbox.
4. Shouldn’t trust their own processes
5. And finally, should use SSL/TLS for updating their products and digitally sign all files.
Inquirer said that Bitdefender was contacted regarding the vulnerability and this is what Bitdefender spokesperson had to say.
“We have fixed the bugs which he has published proof of concept exploits for, within days of publication. Since the announcement, we have also conducted an internal code audit, fixed a number of other bugs and made changes to our build and QA processes which should result in far sturdier code and prevent similar situations in the future.” He added that, “We are still not in possession of the list of alleged bugs found by Koret, so we cannot tell if we have fixed them all, or, indeed, even if they are all reproducible.”
F-Secure agreed that its engines were vulnerable and the firm said the vulnerabilities were responsibly disclosed to the firm earlier this spring.
“We worked together with the researcher to analyze and fix the vulnerabilities,” said an F-Secure spokesperson. “All the vulnerabilities reported to us have been fixed through our normal vulnerability fix process and automatically deployed to our customers. This includes the vulnerabilities reported to us in the Bitdefender engine, which we also use in some of our products.”
F-secure thanked Koret “for his important work”, and for collaborating with the company’s researchers to help improve its products. “To our knowledge, the vulnerabilities have never been used to attack our customers,” the firm added.
As for Eset, the security firm’s head of core technology development, Jakub Debski, told The Inquirer, “ESET proactively contacted [Koret] to learn more about the issue. ESET resolved the problem and published an update in less than three days.
“ESET always welcomes researchers who follow responsible disclosure procedures of bugs and issues. While we do everything possible to ensure that products are fault free, sadly no software is perfect.”
Inquirer said that it was still awaiting reply from AVG, the other big AV maker named in the report.
Resource : Inquirer