Vulnerability strikes popular Antivirus Software

Major anti-virus software such as Kaspersky, McAfee and AVG have been struck by a major vulnerability according to Israel-based cyber-security startup enSilo. It recently showed how AVG Internet Security 2015, McAfee VirusScan Enterprise version 8.8 and Kaspersky Total Security 2015 were all vulnerable to the same flaw.

Coding issue was the main vulnerability that has affected these giants of the enterprise antivirus software. The software would allocate memory for read and write, as well as execute permissions with an address that an attacker could easily predict and then proceed to inject code into the target system.

The vulnerability was originally found by enSilo in AVG in March 2015. Tomer Bitton, vice president of research at enSilo, wrote in a recent blog post, “The enSilo product alerted on a product collision with AVG, also installed in the customer’s environment. A follow-up investigation conducted by our researchers revealed a flaw in AVG.”

The flaw would allow an attacker to exploit old vulnerabilities in a third-party application “in order to compromise the underlying Windows system”. When Bitton spoke to SCMagazineUK.com, he described what he saw as the essential problem: “The anti-virus companies adopted a coding malpractice which essentially defeats Windows’ mitigations against application exploitation.” This meant that the anti-virus products could conceivably become an “attacker’s vehicle into taking complete control of the underlying Windows system”.

Data Execution Prevention which stops attackers executing data as if it were code, or Address Space Layout Randomization (ASLR) which mixes up the address space layout to prevent

While AVG did not respond for comment, Kaspersky released a statement to SC saying that the vulnerability disclosed by enSilo had been fixed in the September auto-updated patch. “The vulnerability couldn’t be exploited by itself with code execution and privilege escalation, but could have simplified the exploitation of 3rd party application vulnerabilities, such as stack based buffer-overflow,” it said.

The company added, “Kaspersky Lab takes all necessary measures to provide our users with reliable, high-quality, real-time protection from cyber-threats. Moreover, we have always valued the efforts of independent researchers that allow us to make our products better and offer better protection for our customers.”

McAfee also commented that, “Intel Security takes the integrity of our products very seriously. Upon learning of this particular issue, we quickly evaluated the researchers’ claims and took action to develop and distribute a solution addressing it. This solution was distributed to customers  in a patch on August 26, 2015. We are not aware of any customers targeted with an exploit of the issue in question.”