Security Researchers Uncover Bugs in Antivirus Software Which Helps Hackers Get In
- By Dawna M. Roberts
- Published: Oct 06, 2020
- Last Updated: Mar 18, 2022
According to research firm CyberARK, most popular anti-malware programs include bugs that allow hackers to increase their privileges on the system and take control.
The Problem
Through a series of articles, CyberARK explains in great detail the bugs in anti-malware software and the methods that hackers could use to elevate their privileges to gain complete control of the system. The issue is that these programs are meant to protect the computer system and keep malware out when, in fact, they are the very thing that can be exploited to allow it in.
Because anti-malware requires elevated privileges on the system is what makes it a perfect target. The good news is that CyberARK also included an explanation of some of these bugs and how to make changes to your system to close the holes.
Windows machines are most affected by these issues as macOS has a different file structure and format that does not handle permissions the same way.
Some of the affected programs which you might be familiar with are:
- Symantec.
- Kaspersky.
- McAfee.
- Trend Micro.
- Check Point.
- Fortinet.
- Microsoft Defender.
- Avira.
Each of these vendors has confirmed that the bugs have been addressed and corrected in the latest versions.
The Scary Stuff
One of the most alarming aspects of these bugs is that they allow hackers to delete files from many areas of your Windows machine. They could potentially delete or corrupt any file anywhere on your system and render it unusable. This exploit could be used in conjunction with ransomware.
A Few Vulnerable Areas
The first area of concern is the ProgramData directory. It’s where programs store data not specific to any user. It’s also a very dangerous place because malware and hackers with the right privileges could install apps and viruses into this folder affecting the entire system. As a default, every user has “write” and “delete” permissions to that folder, which presents a real danger if a user account was hacked and the privileges elevated, the perpetrator could do some real damage in there.
The problem is twofold: if a non-privileged process creates directories or files that are later used by a privileges process, havoc can ensue. Alternatively, if you create a directory or folder before a privileged process exists, the DACL (Discretionary Access Control List) would not update automatically, exposing that directory for abuse.
Through their research and testing, the firm discovered that privileged and non-privileged users sometimes share the same log files. This danger could allow cybercriminals to delete the file and replace it with malicious code. CyberARK used a combination of NTFS Mount Points and Object Manager symbolic links to abuse the systems to see if they could access these folders to insert malicious code, and they were successful.
Another area of concern is DLL Hijacking. Some program installers (software that installs programs onto the machine) include a vulnerability that may elevate the privileges through DLL hijacking by relying on an old installation framework that has not been patched. CyberARK recommends updating your installation frameworks to eliminate this possibility. Most installation programs use DLL files, so if the hackers insert a malicious DLL file essentially piggybacking on the installer, they could gain access that way as well. Some of the older frameworks that might be vulnerable were listed as:
- InstallShield.
- InnoSetup.
- Nsis installer.
- Wix installer.
During testing, all the anti-malware vendors had frameworks that were not updated, leaving them vulnerable. These companies have since updated their installers to patch the holes.
Other Security Recommendations
In their detailed technical report, they also include a few other tips to keep your system safe from hacking, ransomware, and viruses:
- Change the DACLs on your system before creating new folders and using existing ones. Close all the holes where a hacker could get a foothold.
- Use LoadLibraryEx instead of the old LoadLibrary API, which is vulnerable.
- Use correct impersonating when accessing a file from two separate secure areas.
In their summary, CyberARK summed it up with, “The implications of these bugs are often full privilege escalation of the local system. Due to the high privilege level of security products, an error in them could help malware to sustain its foothold and cause more damage to the organization. The exploits that were presented here are easy to implement, but also easy to patch against. We have seen that blocking symlink attacks or blocking the load of malicious DLLs require only a small touchup in the code. Knowing that, AV vendors should be able to eliminate this widespread bug class.”
Even those programs designed to keep us safe have their flaws, which begs the question, how do we protect our systems from cybercriminals going forward?
