SAN FRANCISCO — Many well-known antivirus products have serious flaws that undermine Windows security and render PCs more vulnerable to attack than they would otherwise be, two Israeli researchers demonstrated at the BSides SF 2016 security conference here today (Feb. 29).
The problems arise because most types of antivirus software penetrate deep into Windows, intercepting both Microsoft and third-party-software processes with "hooks" that alter the running processes. The antivirus products do this to make Windows safer, but they often leave their hooks accessible to external attackers, who can hijack the hooks and successfully infect a Windows machine.
"Almost all the vendors we tested were vulnerable to at least one issue," said enSilo researcher Tomer Bitton, who presented the findings with his colleague Udi Yavo.
In a December blog post, Bitton wrote that AVG, Kaspersky Lab and Intel McAfee had had insecure products, which had all been patched by the previous September. At today's presentation, Bitton and Yavo hinted that they had found vulnerabilities in other products that they could not yet disclose.
"We worked closely with the vendors to address these issues, most of which are already patched," Bitton said. "But they're not all patched, so we're not mentioning names."
In the past year or two, information-security experts have become increasingly concerned that antivirus products themselves could be exploited to infect computers. Antivirus products have a very large "attack surface" in that they monitor all network ports, examine all third-party software and handle malware directly. They also run with very high system privileges, have permission to alter processes all sorts of running processes and launch at system startup.
Google researcher Tavis Ormandy has in the past six months found major flaws in Avast, AVG, Comodo, Malwarebytes and Trend Micro antivirus software. The flaws included insecure browser "tune-up" tools, a password manager that exposed stored passwords and at least three "secure" Web browsers that were vulnerable to attack.
Perhaps the most serious flaw, and one that Bitton and Yavo did not address, is that many antivirus products don't use secure Web connections to update malware definitions, or don't verify their own software updates with digital signatures.
At the ShmooCon security conference this past January, Synack researcher Patrick Wardle showed how a "man-in-the-middle" attack that intercepted an update of Kaspersky antivirus software could be used to infect a Mac with malware.
This past October, German antivirus testing lab AV-TEST evaluated products from 21 antivirus brands for internal security. Only six brands were found to be signing their code, and only three of those — ESET, Intel McAfee and Symantec Norton — had taken defensive measures that would at least partly protect against the sort of hook-hijacking that Bitton and Yavo discussed today.
For technically skilled Windows users, Bitton and Yavo created a tool that they've called AVulnerabilityChecker to, well, check for vulnerability in AV software. They've posted instructions for using it on the enSilo blog. (We tried it ourselves, and our build of Bitdefender Antivirus Plus seems to have passed.)
"Code hooking is an important technique for security software, but it has security implications," the researchers said. "On some of these products, it was quite clear that the security-research team [of the antivirus company] was not part of the development process."