Antivirus Software Isn't Very Secure, Researchers Find

Credit: wk1003mike

(Image credit: wk1003mike)

Even the best antivirus software is often just as insecure as the software it's meant to protect — and running it might make you even more insecure, according to a researcher with Singapore-based security firm Coseinc.

At the SyScan 360 security conference in Beijing earlier this month, Joxean Koret claimed to have found flaws in antivirus engines found at the hearts of many major antivirus software products, including those made by Avast, Bitdefender, Avira, AVG, Comodo, ClamAV, DrWeb, ESET, F-Prot, F-Secure, Panda and eScan. (Many of these companies make some of the best Mac antivirus software and best Android antivirus apps.)

Koret also documented several ways that antivirus software could be allegedly compromised or manipulated to make what should be a wall into a door.

MORE: Best Free Antivirus Software

Koret's presentation, the slides from which are available online as a PDF, began by pointing out that every newly installed program on a computer makes that computer just a little more vulnerable, because it increases the attack surface — it creates that more connections that can be hacked or otherwise exploited. 

The next problem is that antivirus programs often install with high administrator privileges, which lets them perform necessary actions such as  scanning the entire and modifying or removing malicious programs. However, if an antivirus program were compromised, it would have extensive power to abuse the computer on which it was installed. 

Koret said antivirus programs are just as likely to have flaws, even serious zero-day flaws, as any other program, simply because a human being wrote them. For example, most antivirus programs update themselves via insecure HTTP connections, and most of those updates are not cryptographically verified, Koret said.

Koret argues that it would be easy for would-be attackers to stage a man-in-the-middle attack by intercepting an antivirus program's HTTP connection, inserting themselves between the update server and the antivirus software's client machines and thereby gaining access to the antivirus programs on home and business PCs. 

Koret said he had identified bugs in 17 major antivirus programs. Some companies, such as Avast and ESET, had already patched their software by the time of Koret's presentation, but others allegedly had not.

How concerned should regular computer users be about Koret's findings? Not too concerned, said Andreas Marx, CEO of independent antivirus-testing firm AV-TEST in Magdeburg, Germany.

"Insecure code might put the user at risk, as demonstrated in the presentation. However, at the moment, such attacks are more research-oriented (proof of concept) or might be used for targeted attacks," Marx told Tom's Guide. "I'm not aware of a recent widespread virus or other malware which exploited a vulnerability in AV software."

Because there are so many different antivirus programs, none has a commanding share of the market, Marx observed. So why target a single antivirus program when nearly every computer in the world uses other vulnerable products such as Java, Adobe Reader or Adobe Flash Player? 

"With Java, or Adobe Reader, or Flash, you have good targets — if you find a vulnerability, you know that millions of PCs are affected," Marx said. "There are a lot more antivirus products on the market, so you won't easily reach a high infection rate if you exploit a security vulnerability there."

Jill Scharr is a staff writer for Tom's Guide. You can follow her on Twitter @JillScharr and on Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects.