Antivirus Software Isn't Very Secure, Researchers Find

Credit:  wk1003mike Credit: wk1003mike

Antivirus software is often just as insecure as the software it's meant to protect — and running it might make you even more insecure, according to a researcher with Singapore-based security firm Coseinc.

At the SyScan 360 security conference in Beijing earlier this month, Joxean Koret claimed to have found flaws in antivirus engines found at the hearts of many major antivirus software products, including those made by Avast, Bitdefender, Avira, AVG, Comodo, ClamAV, DrWeb, ESET, F-Prot, F-Secure, Panda and eScan. Koret also documented several ways that antivirus software could be allegedly compromised or manipulated to make what should be a wall into a door.

MORE: Best Free PC Antivirus Software 2014

Koret's presentation, the slides from which are available online as a PDF, began by pointing out that every newly installed program on a computer makes that computer just a little more vulnerable, because it increases the attack surface — it creates that more connections that can be hacked or otherwise exploited. 

The next problem is that antivirus programs often install with high administrator privileges, which lets them perform necessary actions such as  scanning the entire and modifying or removing malicious programs. However, if a antivirus program were compromised, it would have extensive power to abuse the computer on which it was installed. 

Koret said antivirus programs are just as likely to have flaws, even serious zero-day flaws, as any other program, simply because a human being wrote them. For example, most antivirus programs update themselves via insecure HTTP connections, and most of those updates are not cryptographically verified, Koret said.

Koret argues that it would be easy for would-be attackers to stage a man-in-the-middle attack by intercepting an antivirus program's HTTP connection, inserting themselves between the update server and the antivirus software's client machines and thereby gaining access to the antivirus programs on home and business PCs. 

Koret said he had identified bugs in 17 major antivirus programs. Some companies, such as Avast and ESET, had already patched their software by the time of Koret's presentation, but others allegedly had not.

How concerned should regular computer users be about Koret's findings? Not too concerned, said Andreas Marx, CEO of independent antivirus-testing firm AV-TEST in Magdeburg, Germany.

"Insecure code might put the user at risk, as demonstrated in the presentation. However, at the moment, such attacks are more research-oriented (proof of concept) or might be used for targeted attacks," Marx told Tom's Guide. "I'm not aware of a recent widespread virus or other malware which exploited a vulnerability in AV software."

Because there are so many different antivirus programs, none has a commanding share of the market, Marx observed. So why target a single antivirus program when nearly every computer in the world uses other vulnerable products such as Java, Adobe Reader or Adobe Flash Player? 

"With Java, or Adobe Reader, or Flash, you have good targets — if you find a vulnerability, you know that millions of PCs are affected," Marx said. "There are a lot more antivirus products on the market, so you won't easily reach a high infection rate if you exploit a security vulnerability there."

Jill Scharr is a staff writer for Tom's Guide. You can follow her on Twitter @JillScharr and on Google+.  Follow us @TomsGuide, on Facebook and on Google+.

This thread is closed for comments
    Your comment
  • hotwire_downunder
    What a pile of garbage!, This fellow is taking factual data that everyone in the Security Industry already knows and take a totally single sided, sensationalized view and presents it like it's the gospel!

    His research and test samples are of a very small subset. If I didn't know better I would believe this garbage and put myself at risk. Very irresponsible journalism.

    There are good Malware Products and Bad ones just like any other product we use. That's what the test Labs and Reports are for.
  • anti virus only protects from known threats and only if those threats don't run around with an skii/anonymous mask over their programming, so to speak.
  • Nothing new here, but the number of morons who trust these pieces of crap is astounding.