Antivirus products riddled with security flaws, researcher says

Antivirus products increase a computer's attack surface and may even lower operating system protections, a security researcher claims

It's generally accepted that antivirus programs provide a necessary protection layer, but organizations should audit such products before deploying them on their systems because many of them contain serious vulnerabilities, a researcher warned.

According to Joxean Koret, a researcher at Singapore security firm COSEINC, antivirus programs are as vulnerable to attacks as the applications they're trying to protect and expose a large attack surface that can make computers even more vulnerable.

Koret spent the last year analyzing antivirus products and their engines in his spare time and claims to have found dozens of remotely and locally exploitable vulnerabilities in 14 of them. The vulnerabilities ranged from denial-of-service issues to flaws that allow potential attackers to elevate their privileges on systems or to execute arbitrary code. Some bugs were located in antivirus engines -- the core parts of antivirus products -- and some in various other components.

Koret presented his findings at the SysScan 360 security conference earlier this month.

"Exploiting AV engines is not different to exploiting other client-side applications," the researcher said in his presentation slides. They don't use any special self-protections and rely on anti-exploitation technologies in the OS like ASLR (address space layout randomization) and DEP (data execution prevention); and sometimes they even disable those features, he said.

Because antivirus engines typically run with the highest system privileges possible, exploiting vulnerabilities in them will provide attackers with root or system access, Koret said. Their attack surface is very large, because they must support a long list of file formats and file format parsers typically have bugs, he said.

According to the researcher, another issue is that some antivirus products don't digitally sign their updates and don't use encrypted HTTPS connections to download them, which allows man-in-the-middle attackers to inject their own malicious files into the traffic that would get executed.

During his SysScan talk, Koret disclosed vulnerabilities and some other security issues, like the lack of ASLR protection for some components, in antivirus products from Panda Security, Bitdefender, Kaspersky Lab, ESET, Sophos, Comodo, AVG, IKARUS Security Software, Doctor Web, MicroWorld Technologies, BKAV, Fortinet and ClamAV. However, he also claimed to have found vulnerabilities in the Avira, Avast, F-Prot and F-Secure antivirus products.

Koret did not report the issues he found to all affected vendors, because he thinks that vendors should audit their own products and run bug bounty programs to attract independent research. Some of his other recommendations for vendors include using programming languages "safer" than C and C++, not using the highest privileges possible when parsing network packets and files because "file parsers written in C/C++ code are very dangerous," running potentially dangerous code in emulators or sandboxes, using SSL and digital signatures for updates and removing code for old very threats that hasn't been touched in years.

The researcher confirmed in his presentation slides that some of the vulnerabilities he found had been fixed.

Independent of Koret's analysis, researchers from Offensive Security recently found three privilege escalation vulnerabilities in Symantec's Endpoint Protection product. The flaws can be exploited by a local user with limited privileges to gain full system access. Symantec is currently investigating the flaws.

"I won't go to the extent to say that AV software is pointless, since we do know that users still love clicking and installing stuff, and many networks are compromised this way," said Carsten Eiram, the chief research officer at security intelligence firm Risk Based Security and a long-time vulnerability researcher. "However, system administrators should carefully select which security products they buy as well as which features are enabled -- especially when it comes to content inspection. All those file format parsers have proven again and again over the years to be treasure troves to attackers."

Eiram said that while he didn't attend Koret's talk, he looked over the slides and the research appears to be solid.

"Adding a huge attack surface, which often happens when installing AV software or other security software, in an attempt to make systems/networks more secure does not increase overall security," Eiram said. "I agree that it often decreases it."

The fact that antivirus products have vulnerabilities might not be surprising to security researchers, but many regular users likely assume that security products are inherently secure. After all, it would be fair to expect good coding practices and solid secure development lifecycles from companies that are clearly familiar with the risks of vulnerable code and sell protection against attacks that exploit vulnerabilities in other software.

This problem, however, extends beyond antivirus programs. Ben Williams, a penetration tester with NCC Group, analyzed security appliances, including email and Web security gateways, firewalls, remote access servers and UTM (united threat management) systems, from leading vendors in 2012 and concluded that most of them are poorly maintained Linux systems running insecure Web applications.

"While we do everything possible to ensure that products are fault free, sadly no software is perfect," an ESET representative said via email in response to an inquiry about Koret's research. The company contacted Koret after the researcher tweeted some of his findings on March 1 and fixed the problem he identified in less than three days, the representative said. "ESET always welcomes researchers who follow responsible disclosure procedures of bugs and issues."

A Bitdefender representative said via email that the company also fixed the problems disclosed in Koret's presentation slides within days of their release. However, the company is not in possession of the entire list of bugs that the researcher claims to have found and can't be sure that it has fixed all of them, or if they're even reproducible.

"Since the announcement, we have also conducted an internal code audit, fixed a number of other bugs and made changes to our build and QA [quality assurance] processes which should result in far sturdier code and prevent similar situations in the future," the Bitdefender representative said.

The issues in Kaspersky Lab's antivirus products that were outlined in Koret's presentation, namely the absence of ASLR in some components and a potential denial-of-service issue when scanning nested archives, are not critical to the security protection of the company's customers, a Kaspersky representative said via email. Software that is written without ASLR is not implicitly more vulnerable to exploits, but Kaspersky Lab added ASLR to the product components that were lacking it -- vlns.kdl and avzkrnl.dll -- after Koret's presentation, he said.

The archive issue where scanning of a 3MB 7-Zip file can allegedly produce a 32GB dump file could not be verified or refuted because the company has not received a detailed description of the methodology used by the researcher.

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags FortinetComodoDoctor WebNCC GroupExploits / vulnerabilitiesbitdefenderkaspersky labantivirussophosmicroworld technologiesBKAVIKARUS Security SoftwareCOSEINCAvirasymantecsecurityAvastpanda securityDesktop securityf-secureesetAVG

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?