A VULNERABILITY in antivirus software that allows an attacker to deliberately quarantine malicious code and then move it to any location they like on a victim's machine has been disclosed by Austrian security researcher Florian Bogner.
The weakness, dubbed 'AVGater' by Bogner, originally affected more than a dozen different common antivirus programmes, though seven more currently undisclosed antivirus apps also suffer from the problem, he says. The companies that have already fixed their software are: Emisoft, Ikarus, Kaspersky, Malwarebytes, Trend Micro, and ZoneAlarm.
In short, an attacker would need to deliberately take advantage of antivirus protections that automatically quarantine files that look malicious and then use a privelege mismatch vulnerability to move than file to a more dangerous location, such as the root (C:) drive.
"AVGater can be used to restore a previously quarantined file to any arbitrary filesystem location. This is possible because the restore process is most often carried out by the privileged AV Windows user mode service. Hence, file system ACLs [Access Control Lists] can be circumvented (as they don't really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system," Bogner explained.
The end result of triggering these vulnerabilities is full control of a system for a local non-admin attacker.
While the other AV companies are still working on a fix for the potential vulenerability, it's probably best for any network admins to ensure that regular users can't restore files identified as threats, which sort of sounds like common sense anyway, to be honest. µ
London-based firm is a leading contributor to the AdoptOpenJDK project
But only in India
But when remains unclear
It just, er, works