A SECURITY RESEARCHER has claimed to have found exploitable flaws in 14 major anti-virus (AV) engines used by some of the world's largest security vendors.
The security expert responsible for exposing the bugs is Joxean Koret, a researcher at Singapore-based consultancy COSEINC, who spoke at the Syscan 360 security conference in Beijing, China earlier this month about his findings. The slides from his presentation became available online only this week, and detail how he used a custom fuzzing suite to find bugs in 17 of the major antivirus engines that power antivirus software from firms such as AVG, Bitdefender, ESET and F-Secure.
Koret said that the bugs he found could expose users to man in the middle (MITM) attacks and said that they are "as vulnerable to zero-day attacks as the applications [they try] to protect".
MITM attacks are active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when the entire conversations are actually controlled by the attacker.
Koret explained that almost all of the engines he looked at were written in C and/or C++ coding languages, which thus allow attackers to discover and leverage buffer and integer overflow bugs.
"Exploiting AV engines is not different to exploiting other client-side applications," he said. "They don't offer any special self-protection. They rely on the operating system features (ASLR/DEP) and nothing else. And sometimes they even disable such features."
He added that hackers could also perform an escalation of privilege attack, as most of the engines install OS drivers.
"Most antivirus engines run with the highest privileges: root or local system," he said. "If one can find a bug and write an exploit for the AV engine, (s)he just won root or system privileges."
Koret recommended that AV users should not trust their AV product, but if they are going to use one, they: shouldn't use the highest privileges possible for scanning network packets and files; should audit their products; run dangerous code under an emulator, virtual machine, or in a sandbox; shouldn't trust their own processes; and should use SSL/TLS for updating their products and digitally sign all files.
We contacted some of the security firms that Koret tested.
Bitdefender said it had been aware of Koret's findings since he published his presentation, but had no prior contact, "as Koret does not believe in responsible disclosure".
"We have fixed the bugs which he has published proof of concept exploits for, within days of publication. Since the announcement, we have also conducted an internal code audit, fixed a number of other bugs and made changes to our build and QA processes which should result in far sturdier code and prevent similar situations in the future," a Bitdefender spokesperson said.
"We are still not in possession of the list of alleged bugs found by Koret, so we cannot tell if we have fixed them all, or, indeed, even if they are all reproducible."
F-secure had a very different story. When we contacted it, the firm said the vulnerabilities were responsibly disclosed to the firm earlier this spring.
"We worked together with the researcher to analyze and fix the vulnerabilities," said an F-Secure spokesperson. "All the vulnerabilities reported to us have been fixed through our normal vulnerability fix process and automatically deployed to our customers. This includes the vulnerabilities reported to us in the Bitdefender engine, which we also use in some of our products."
F-secure thanked Koret "for his important work", and for collaborating with the company's researchers to help improve its products. "To our knowledge, the vulnerabilities have never been used to attack our customers," the firm added.
As for Eset, the security firm's head of core technology development, Jakub Debski, told The INQUIRER, "ESET proactively contacted [Koret] to learn more about the issue. ESET resolved the problem and published an update in less than three days.
"ESET always welcomes researchers who follow responsible disclosure procedures of bugs and issues. While we do everything possible to ensure that products are fault free, sadly no software is perfect."
Since posting this article, an AVG spokesperson sent us a statement and said it is aware of Koret's findings and disputes his claim that AV software makes your computer more vulnerable.
"Our Antivirus software detects millions of threats in our user base every day and we continue to develop technologies that address these threats to help our customers," the firm said. "Of the alleged vulnerabilities in our engine stated in the report, we fixed the 7z 'archive bomb' on April 23 2014 and updated our user base. The rest of the issues raised in the report relating to AVG remain unconfirmed and are under review." µ
Sign up for INQbot – a weekly roundup of the best from the INQ