Updated April 28 with comments from Malwarebytes
More than 28 consumer and enterprise antivirus products from 16 different brands may have a serious software flaw that can cripple PCs, Macs, and Linux, security firm RACK911 reports
Affected companies include well-known names such as Kaspersky, McAfee, Microsoft, and Norton; Windows, macOS, and Linux products are all affected
Exploitation of this flaw could trick AV software into deleting its own files or deleting critical system files
"We were able to easily delete critical files associated with the antivirus software, rendering it ineffective, and even delete critical operating system files that could cause serious corruption that would require a complete reinstallation of the OS," RACK 911 outlined its findings in a blog post
"Most antivirus vendors have fixed their products, with a few unfortunate exceptions," RACK911 stated
"Given how many vendors were vulnerable, we believe there are additional lesser-known products that are vulnerable to this type of attack"
In an update to the initial blog post, RACK911 stated, "We have received questions about lesser-known antivirus software not listed on this page We received questions about antivirus software and found them all to be vulnerable"
He stated
One should make sure that the antivirus software is completely up-to-date, as any flaws have probably been patched
Notably, among the best antivirus software for Windows, including products from Bitdefender, Kaspersky, and Norton, none of the top products we selected had vulnerabilities consumer products for Windows, Mac consumer products and Windows and Linux enterprise products appear to be less affected than Windows consumer products and Windows and Linux enterprise products
Windows enterprise products are more deeply "hooked" into the operating system than consumer products, or even the most well-known brands (such as Microsoft's Defender software for Macs) are more aware of Mac and Linux may be less aware of possible flaws
RACK911 does not name which AV vendors have not fixed the flaw, but the brands and products where the vulnerability was found are listed below Products that have been reliably patched are indicated as such
Update Malwarebytes said on April 28, "We are working on a patch for this issue and will have it available to customers soon"
Microsoft said on April 29 that "our anti-malware products are not currently vulnerable to the methods discussed in this investigation," and FireEye told us the same day that it had "nothing further to add on this topic"
avast told us on May 1 that the flaw "does not apply to avast and AVG antivirus (free or paid) products, as the checks performed by avast and AVG FileShield detect and block attacks"
Essentially, the attack tricks the AV software into thinking that the critical file is actually malware, and the AV software then quarantines or deletes the file
Such an attack is possible because any user or process can create links to other directories (on Windows) or files (on Mac or Linux) when the AV software detects a malicious file, it will quarantine or delete it flagged
In the mere seconds between flagging the malicious file and the AV software deactivating it, the attacker can create a link from the malicious file's location to a file with the same name elsewhere on the machine [So even if the AV software determines that the file is malicious and deletes or quarantines it, it is actually deleting a perfectly legitimate, even critical, file elsewhere on the system
"A second too early or too late, the exploit will not work," the RACK911 blog explains [This attack cannot be done remotely The attacker must already have access to the system, which is easier said than done Unauthorized malware that has entered the system by other means would be able to pull it off The best antivirus software will go a long way to preventing that
Nevertheless, RACK911 has some harsh words for the anti-virus vendors who worked together to fix these flaws
"We have been involved in penetration testing for a long time and never imagined that our counterparts in the anti-virus industry would be so difficult to work with due to the constant lack of updates and complete disregard for the urgency of patching security vulnerabilities," its blog post states
"It is critical that file operations be performed with the lowest level of privileges in order to prevent attacks from taking place
"Users must always assume malicious intent, and by placing privileged file operations within the user's reach, you are opening the door to a wide range of security vulnerabilities"
Comments