"Installing an application in your computer makes you a bit more vulnerable," says Joxean Koret, a researcher with Singapore-based Coseinc, and that is equally true for AV solutions.
Wielding a custom developed fuzzing testing suite against all the AV engines he could find, he unearthed dozens of remotely exploitable vulnerabilities. He tested the engines used by BitDefender, Comodo, F-Prot, F-Secure, Avast, ClamAV, AVG.
Almost all engines written in C and/or C++, which opens the door for attackers to discover and leverage buffer and integer overflow bugs. Also, most of them install OS drivers, which could allow attacker to perform escalation of privilege.
"Most (if not all...) antivirus engines run with the highest privileges: root or local system," he noted. "If one can find a bug and write an exploit for the AV engine, (s)he just won root or system privileges."
Finally, most AVs get updates via HTTP only protocols, which could lead to man-in-the-middle attacks that deliver malware instead of updates.
"Exploiting AV engines is not different to exploiting other client-side applications," he noted. "They don't offer any special self-protection. They rely on the operating system features (ASLR/DEP) and nothing else. And sometimes they even disable such features."
A lot of the vulnerabilities he found and responsibly disclosed to some of the vendors have been fixed, and he shared details of some of these and of how he exploited them with the audience of the SyScan 360 security conference held in Beijing two weeks ago.
He offered several recommendation for AV users - don't trust your AV product, audit the AV engine, isolate machines with AV engines used for gateways, network inspection, and so on - but the bulk of his advice was directed at AV companies:
- Don't use the highest privileges possible for scanning network packets and files
- Audit your products, establish a bug bounty program
- Run dangerous code under an emulator, vm, or in a sandbox
- Don't trust your own processes
- Use SSL/TLS for updating your product, digitally sign all files
- Drop useless old code.
For more details about the vulnerabilities and the exploits, you can check out Koret's presentation slides.