It's generally accepted that antivirus programs provide a necessary protection layer, but organizations should audit such products before deploying them on their systems because many of them contain serious vulnerabilities, a researcher warned.
According to Joxean Koret, a researcher at Singapore security firm COSEINC, antivirus programs are as vulnerable to attacks as the applications they're trying to protect and expose a large attack surface that can make computers even more vulnerable.
Koret spent the last year analyzing antivirus products and their engines in his spare time and claims to have found dozens of remotely and locally exploitable vulnerabilities in 14 of them. The vulnerabilities ranged from denial-of-service issues to flaws that allow potential attackers to elevate their privileges on systems or to execute arbitrary code. Some bugs were located in antivirus engines -- the core parts of antivirus products -- and some in various other components.
Koret presented his findings at the SysScan 360 security conference earlier this month.
"Exploiting AV engines is not different to exploiting other client-side applications," the researcher said in his presentation slides. They don't use any special self-protections and rely on anti-exploitation technologies in the OS like ASLR (address space layout randomization) and DEP (data execution prevention); and sometimes they even disable those features, he said.
Because antivirus engines typically run with the highest system privileges possible, exploiting vulnerabilities in them will provide attackers with root or system access, Koret said. Their attack surface is very large, because they must support a long list of file formats and file format parsers typically have bugs, he said.
According to the researcher, another issue is that some antivirus products don't digitally sign their updates and don't use encrypted HTTPS connections to download them, which allows man-in-the-middle attackers to inject their own malicious files into the traffic that would get executed.
During his SysScan talk, Koret disclosed vulnerabilities and some other security issues, like the lack of ASLR protection for some components, in antivirus products from Panda Security, Bitdefender, Kaspersky Lab, ESET, Sophos, Comodo, AVG, IKARUS Security Software, Doctor Web, MicroWorld Technologies, BKAV, Fortinet and ClamAV. However, he also claimed to have found vulnerabilities in the Avira, Avast, F-Prot and F-Secure antivirus products.
Koret did not report the issues he found to all affected vendors, because he thinks that vendors should audit their own products and run bug bounty programs to attract independent research. Some of his other recommendations for vendors include using programming languages "safer" than C and C++, not using the highest privileges possible when parsing network packets and files because "file parsers written in C/C++ code are very dangerous," running potentially dangerous code in emulators or sandboxes, using SSL and digital signatures for updates and removing code for old very threats that hasn't been touched in years.
The researcher confirmed in his presentation slides that some of the vulnerabilities he found had been fixed.
Independent of Koret's analysis, researchers from Offensive Security recently found three privilege escalation vulnerabilities in Symantec's Endpoint Protection product. The flaws can be exploited by a local user with limited privileges to gain full system access. Symantec is currently investigating the flaws.
"I won't go to the extent to say that AV software is pointless, since we do know that users still love clicking and installing stuff, and many networks are compromised this way," said Carsten Eiram, the chief research officer at security intelligence firm Risk Based Security and a long-time vulnerability researcher. "However, system administrators should carefully select which security products they buy as well as which features are enabled -- especially when it comes to content inspection. All those file format parsers have proven again and again over the years to be treasure troves to attackers."
Eiram said that while he didn't attend Koret's talk, he looked over the slides and the research appears to be solid.
"Adding a huge attack surface, which often happens when installing AV software or other security software, in an attempt to make systems/networks more secure does not increase overall security," Eiram said. "I agree that it often decreases it."
The fact that antivirus products have vulnerabilities might not be surprising to security researchers, but many regular users likely assume that security products are inherently secure. After all, it would be fair to expect good coding practices and solid secure development lifecycles from companies that are clearly familiar with the risks of vulnerable code and sell protection against attacks that exploit vulnerabilities in other software.
This problem, however, extends beyond antivirus programs. Ben Williams, a penetration tester with NCC Group, analyzed security appliances, including email and Web security gateways, firewalls, remote access servers and UTM (united threat management) systems, from leading vendors in 2012 and concluded that most of them are poorly maintained Linux systems running insecure Web applications.
"While we do everything possible to ensure that products are fault free, sadly no software is perfect," an ESET representative said via email in response to an inquiry about Koret's research. The company contacted Koret after the researcher tweeted some of his findings on March 1 and fixed the problem he identified in less than three days, the representative said. "ESET always welcomes researchers who follow responsible disclosure procedures of bugs and issues."
A Bitdefender representative said via email that the company also fixed the problems disclosed in Koret's presentation slides within days of their release. However, the company is not in possession of the entire list of bugs that the researcher claims to have found and can't be sure that it has fixed all of them, or if they're even reproducible.
"Since the announcement, we have also conducted an internal code audit, fixed a number of other bugs and made changes to our build and QA [quality assurance] processes which should result in far sturdier code and prevent similar situations in the future," the Bitdefender representative said.
The issues in Kaspersky Lab's antivirus products that were outlined in Koret's presentation, namely the absence of ASLR in some components and a potential denial-of-service issue when scanning nested archives, are not critical to the security protection of the company's customers, a Kaspersky representative said via email. Software that is written without ASLR is not implicitly more vulnerable to exploits, but Kaspersky Lab added ASLR to the product components that were lacking it -- vlns.kdl and avzkrnl.dll -- after Koret's presentation, he said.
The archive issue where scanning of a 3MB 7-Zip file can allegedly produce a 32GB dump file could not be verified or refuted because the company has not received a detailed description of the methodology used by the researcher.