According to cybersecurity firm CyberArk, at least one anti-malware software is vulnerable to exploitation in every Windows system.
So far, we believed that antivirus and anti-malware solutions are our best bet to thwart malware attacks. However, in its research, CyberArk discovered that every product they tested had security flaws that may allow attackers to obtain privilege escalation on a system.
These antivirus or anti-malware products could be abused through file manipulation attacks, which would render them ineffective.
CyberArk revealed that it tested security solutions from almost every mainstream vendor, including:
The researchers found security flaws that any hacker can easily abuse to hijack a system. This means the antivirus solutions designed to protect the user can inadvertently encourage malware by allowing an attacker to gain elevated privileges on the device.
Moreover, the company claims that most products had similar types of bugs. Anti-malware products, in particular, were more vulnerable to exploitation due to their high privileges. They found the number of bugs in anti-malware solutions to be staggeringly high. However, most of the bugs could be easily removed.
According to Eran Shimony of CyberArk, the vulnerabilities more or less share a similar root cause. All the software use system resources incorrectly while an app is running in a privileged status.
Moreover, Shimony stated that all the security software they tested were not adequately secured and vulnerable to DLL hijacking.
Another common flaw they identified involved tricking privileged applications into targeting a different file when performing write, read, or delete function.
The exploits that were presented here are easy to implement, but also easy to patch against. We have seen that blocking symlink attacks or blocking the load of malicious DLLs require only a small touchup in the code. Knowing that, AV vendors should be able to eliminate this widespread bug class, wrote Shimony.
CyberArk reported the vendors about the security flaws in their products and were patched quickly. There were two McAfee products, three Kaspersky’s anti-malware solutions, one product from Fortinet, Symantec, and Checkpoint each, five from Trend Micro.
To exploit the vulnerabilities, an attacker would need to have local access to a system. Researchers assessed that the bugs weren’t as critical as those that encourage unauthenticated remote execution.