AV engines are riddled with exploitable bugsJuly 29, 2014 – 5:40 AM
A security researcher has found a great number of exploitable vulnerabilities in popular security solutions and the AV engines they use, proving not only that AV engines are as vulnerable to zero day attacks as the applications they try to protect, but can also lower the operating system’s exploit mitigations.
“Installing an application in your computer makes you a bit more vulnerable,” says Joxean Koret, a researcher with Singapore-based Coseinc, and that is equally true for AV solutions.
Wielding a custom developed fuzzing testing suite against all the AV engines he could find, he unearthed dozens of remotely exploitable vulnerabilities. He tested the engines used by BitDefender, Comodo, F-Prot, F-Secure, Avast, ClamAV, AVG.
Almost all engines written in C and/or C++, which opens the door for attackers to discover and leverage buffer and integer overflow bugs. Also, most of them install OS drivers, which could allow attacker to perform escalation of privilege.
“Most (if not all…) antivirus engines run with the highest privileges: root or local system,” he noted. “If one can find a bug and write an exploit for the AV engine, (s)he just won root or system privileges.”
Finally, most AVs get updates via HTTP only protocols, which could lead to man-in-the-middle attacks that deliver malware instead of updates.