Another day, another problem with antivirus software. Antivirus tools are designed to protect your computers, but events over the years suggest that they can end up causing their own problems. Antivirus firms have had their fair share of dramas, even over the last few months.
In January, Trend Micro patched a security bug in its Password Manager, found by a Google security researcher, that allowed web sites to execute arbitrary commands and steal users’ passwords. The software used an “ancient build of Chromium”, according to the researcher, Tavis Ormandy.
Trend Micro staff pointed out to SecTor that the Password Manager is a separate product to its antivirus tool, although it does come bundled in some editions, and added that they fixed the problem quickly.
A month before that, Ormandy discovered a bug in AVG’s antivirus chrome extension, called AVG Web TuneUp, that exposed users’ browsing history, personal data, and cookies to attackers. The extension installed itself forcibly when users installed AVG’s software.
More recently, Intel patched a security hole in McAfee Enterprise antivirus that enabled attackers to disable antivirus on a victim’s machine.
So how much can we trust our antivirus software? Security researcher Joxean Koret believes that they’re riddled with bugs. He highlighted some of them at a presentation during the SysScan 360 security conference in 2014, and said that he’d found security flaws in 14 antivirus products.
Antivirus products increase your attack surface and typically make your machine more vulnerable, because they’re as prone to zero-days as any other software, he warned at the time. He doesn’t believe that antivirus software is much safer from attack today than it was back then.
“An enemy actor can just exploit a zero-day in your favourite $50 antivirus [software] instead of burning a more expensive vulnerability in a browser or in the operating system kernel,” he said. “For a targeted attack, it is a rather interesting vector.”
Koret doesn’t advocate grandma uninstalling her trusted antivirus tool, particularly. SMBs are also mostly safe, he said. But he believes that larger organizations or strategic targets likely to suffer sophisticated
attacks should be at least a little worried.
With privilege comes great responsibility
Antivirus code needs even more diligence than the code found in other applications. “AV is the software with the highest attack surface on the computer because it has to process a lot of untrusted data,” said Maik Morgenstern, chief technology officer for AV-Test, which publishes independent tests of antivirus software.
“Pretty much every file and every network packet has to be inspected by the software. That’s why it is extremely important to have as few vulnerabilities in the code as possible,” he added.
Antivirus software is also a critical point of failure because of its escalated privileges on the system. It has to run in privileged mode because it needs a high degree of system visibility, along with the ability to capture and stop files that are trying to do malicious things to your system. If it ran using the same privileges as those malicious files, then it wouldn’t be able to see what was going on as easily.
Vendors have used various methods to gain high privilege over the years. “In the early days of antivirus, not all the Windows APIs were documented or available to software developers, so the AV developers had to find their own way of running on the system and blocking the malicious code,” said Greg Wasson, program manager of malicious code for ICSA Labs, which tests anti-malware software.
This lack of documentation meant that developers would have to pick over Windows to find these loopholes, giving their software a way into the system that others would not have. “It was almost a reverse engineering of the Windows API calls,” he said.
These days, Microsoft documents all of these calls to make them more reliable, according to Wasson, adding that antivirus companies have been moving to the documented versions.
The tools also install themselves as services running under privileged administrative accounts on OSX or Windows, said Koret, along with installing kernel drivers that tinker directly with the heart of the operating system. To get these onto the system, they ask the user for permission, and typically use software signed with digital certificates created by the OS provider (typically Microsoft or Apple).
How do the attacks on antivirus products occur? One of the most common ways is by exploiting weaknesses in their file parsers, argued Carsten Eiram, chief research officer at vulnerability intelligence service Risk Based Security.
Antivirus tools must scan a panoply of different file types to look for potentially malicious code. Each file type will have its own parameters and must be scanned differently. That’s a difficult task, and can lead to errors.
Attackers can trick a parser using a technique known as ‘fuzzing’. Sending it a deliberately malformed file with data that lies outside the expected parameters can tip the parser into a confused, vulnerable state.
“If the parsing happens within a highly privileged process, it allows an attacker to execute code with these high privileges without having to worry about finding other vulnerabilities to escalate privileges,” he said. “That is why a single vulnerability in a security product may grant full control over a system.”
Securing the development cycle
How can antivirus vendors mitigate these threats? It is even more critical for them to protect their software than for companies running other applications on user operating systems.
“They have to implement all state of the art technologies,” said Morgenstern. “And they have to improve their development cycles.”
These protective measures include address space layout randomization, data execution prevention, and StackGuard, all of which can help to protect against buffer overflow attacks. Kaspersky said that it uses ASLR and DEP, and that it “plans to expand their usage in future”.
Firms are beginning to use these techniques, Morgenstern said. “They are usually watching their files and performing integrity checks to prevent/notice any unauthorized changes on them,” he said. “However, if there is a vulnerability in the program code and it is being exploited, then it is difficult for the AV product to defend itself.”
These errors mean that antivirus companies should be combing through their code to be sure that they’re constantly updating it against new attacks. “Check old code for newly discovered types of vulnerabilities and follow secure coding practices,” he said.
That probably doesn’t include ancient builds of Chromium, then.