Snynet Solution Logo
MON - SUN: 10 AM - 6 PM
+60 11 5624 8319

Blog

Vulnerabilities present in 'every major anti-malware product'

Image Description

New research from CyberArk has revealed that anti-malware products from every major antivirus vendor it tested could be exploited to achieve privilege escalation.

The firm tested anti-malware products from Kaspersky, McAfee, Symantec, Fortinet, Checkpoint, Trend Micro, Avira, Microsoft, Avast and F-Secure to discover that they can all be abused to increase privilege on users' systems.

This is quite ironic as anti-malware solutions are supposed to protect users but they may unintentionally assist malware in gaining more privileges on a system. According to CyberArk's new blog post, many vendors fall for the same types of bugs and anti-malware products seem to be more vulnerable to exploitation due to their high privileges.

The sheer number of bugs found within anti-malware products can be staggering but many of these bugs can be easily eliminated if the security companies that make them implement several changes.

Anti-malware bugs

The first cause of many of the bugs found in anti-malware products comes from the fact that many applications on Windows use the operating system's ProgramData directory to store data that is not tied to a specific user. Programs that store data tied to a specific user generally use the %LocalAppData% directory which is only accessible by the current logged in user.

CyberArk set out to answer two questions: what happens if a non-privileged process creates directories/files that would later be used by a privileged process and what happens if you create a directory/directory-tree before a privileged process?

To answer the first question, the firm looked at Avira's AV which has two processes that write to the same log file. CyberArk was able to easily redirect the output of the write operation to any desired file by using a symlink attack. While the firm used Avira's AV as an example, it pointed out that this privilege escalation method is not limited to this product or vendor alone. To answer the second question, CyberArk's research found that in 99 percent of cases, a privileged process won't change the DACL (Discretionary Access Control List) of an existing directory.

DLL hijacking is another way in which anti-malware products can be abused for privilege escalation. This technique involves a standard user abusing DLL loading of a privileged process and successfully injecting code into it.

To prevent privilege escalation in anti-malware products, CyberArk recommends that developers change DACLs before usage, correct impersonating, update the installation framework of their software and use LoadLibraryEX.

Date

05 Oct 2020

Sources


Share


Other Blog

  • Retailers using WooCommerce are the next target for Magecart card skimmer attacks

    Three new Magecart attacks are taking advantage of potential vulnerabilities in the WooCommerce ecommerce platform, experts have warned.

    Discovered by RiskIQ, the vulnerabilities target retailers using third-party themes and tools to integrate into  WooCommerce pages that are particularly prone to Magecart risk.

    As a result, many consumers are potentially vulnerable to having credit card details stolen ahead of the holiday shopping season.

    Magecart threat 

    Further research by Barn2, a software company that specializes in WooCommerce products and WordPress, found that WooCommerce represents 29% of the top one million websites using ecommerce technologies. This exceeds five million active installs of the free plugin as of early 2021.

    WooCommerce is notably popular because it is a free to use and easily customisable WordPress plugin

    “WooCommerce users are often small and medium-sized businesses, sometimes considered the most vulnerable, as they lack resources for complex and highly-vetted third-party tools. As we've seen over the years, both small and large retailers can be the targets of Magecart skimming,” RiskIQ wrote in its blog post.

    In a typical Magecart attack, threat actors use a vulnerability and weaknesses in an ecommerce platform to inject a malicious code that skims online payment forms to intercept the payment information of unsuspecting customers.

    As these third-party tools integrate with thousands of websites, when one supplier is compromised, Magecart has effectively breached thousands of sites at once.

    RiskIQ's detection of skimmers and other malware shows the innumerable ways threat actors gain access, deploy, and hide their tools on victim websites and advice site operations to regularly inspect their crontab commands for strange contents, ensure that access permissions are correct, and audit file access to it.

    Read More
  • Build 2021: Windows 10 now on more than one billion devices

    Satya Nadella reveals Windows 10 mega growth at Build 2021.

    Read More
  • Vulkan ray tracing is ready for use in games, promising potential performance boosts

    Game developers can now make use of Vulkan ray tracing, with it being easy to port code over from DXR.

    Read More
  • Vodafone's latest fibre broadband deals are simply the best around right now

    A fantastic offer on these affordable fibre broadband deals. Get big cash vouchers with Vodafone's promotions.

    Read More

Find Out More About Us

Want to hire best people for your project? Look no further you came to the right place!

Contact Us