Antivirus products riddled with security flaws, researcher says

Antivirus products increase a computer's attack surface and may even lower operating system protections, a security researcher claims

It's generally accepted that antivirus programs provide a necessary protection layer, but organizations should audit such products before deploying them on their systems because many of them contain serious vulnerabilities, a researcher warned.

According to Joxean Koret, a researcher at Singapore security firm COSEINC, antivirus programs are as vulnerable to attacks as the applications they're trying to protect and expose a large attack surface that can make computers even more vulnerable.

Koret spent the last year analyzing antivirus products and their engines in his spare time and claims to have found dozens of remotely and locally exploitable vulnerabilities in 14 of them. The vulnerabilities ranged from denial-of-service issues to flaws that allow potential attackers to elevate their privileges on systems or to execute arbitrary code. Some bugs were located in antivirus engines -- the core parts of antivirus products -- and some in various other components.

Koret presented his findings at the SysScan 360 security conference earlier this month.

"Exploiting AV engines is not different to exploiting other client-side applications," the researcher said in his presentation slides. They don't use any special self-protections and rely on anti-exploitation technologies in the OS like ASLR (address space layout randomization) and DEP (data execution prevention); and sometimes they even disable those features, he said.

Because antivirus engines typically run with the highest system privileges possible, exploiting vulnerabilities in them will provide attackers with root or system access, Koret said. Their attack surface is very large, because they must support a long list of file formats and file format parsers typically have bugs, he said.

According to the researcher, another issue is that some antivirus products don't digitally sign their updates and don't use encrypted HTTPS connections to download them, which allows man-in-the-middle attackers to inject their own malicious files into the traffic that would get executed.

During his SysScan talk, Koret disclosed vulnerabilities and some other security issues, like the lack of ASLR protection for some components, in antivirus products from Panda Security, Bitdefender, Kaspersky Lab, ESET, Sophos, Comodo, AVG, IKARUS Security Software, Doctor Web, MicroWorld Technologies, BKAV, Fortinet and ClamAV. However, he also claimed to have found vulnerabilities in the Avira, Avast, F-Prot and F-Secure antivirus products.

Koret did not report the issues he found to all affected vendors, because he thinks that vendors should audit their own products and run bug bounty programs to attract independent research. Some of his other recommendations for vendors include using programming languages "safer" than C and C++, not using the highest privileges possible when parsing network packets and files because "file parsers written in C/C++ code are very dangerous," running potentially dangerous code in emulators or sandboxes, using SSL and digital signatures for updates and removing code for old very threats that hasn't been touched in years.

The researcher confirmed in his presentation slides that some of the vulnerabilities he found had been fixed.

Independent of Koret's analysis, researchers from Offensive Security recently found three privilege escalation vulnerabilities in Symantec's Endpoint Protection product. The flaws can be exploited by a local user with limited privileges to gain full system access. Symantec is currently investigating the flaws.

"I won't go to the extent to say that AV software is pointless, since we do know that users still love clicking and installing stuff, and many networks are compromised this way," said Carsten Eiram, the chief research officer at security intelligence firm Risk Based Security and a long-time vulnerability researcher. "However, system administrators should carefully select which security products they buy as well as which features are enabled -- especially when it comes to content inspection. All those file format parsers have proven again and again over the years to be treasure troves to attackers."

Eiram said that while he didn't attend Koret's talk, he looked over the slides and the research appears to be solid.

"Adding a huge attack surface, which often happens when installing AV software or other security software, in an attempt to make systems/networks more secure does not increase overall security," Eiram said. "I agree that it often decreases it."

The fact that antivirus products have vulnerabilities might not be surprising to security researchers, but many regular users likely assume that security products are inherently secure. After all, it would be fair to expect good coding practices and solid secure development lifecycles from companies that are clearly familiar with the risks of vulnerable code and sell protection against attacks that exploit vulnerabilities in other software.

This problem, however, extends beyond antivirus programs. Ben Williams, a penetration tester with NCC Group, analyzed security appliances, including email and Web security gateways, firewalls, remote access servers and UTM (united threat management) systems, from leading vendors in 2012 and concluded that most of them are poorly maintained Linux systems running insecure Web applications.

"While we do everything possible to ensure that products are fault free, sadly no software is perfect," an ESET representative said via email in response to an inquiry about Koret's research. The company contacted Koret after the researcher tweeted some of his findings on March 1 and fixed the problem he identified in less than three days, the representative said. "ESET always welcomes researchers who follow responsible disclosure procedures of bugs and issues."

A Bitdefender representative said via email that the company also fixed the problems disclosed in Koret's presentation slides within days of their release. However, the company is not in possession of the entire list of bugs that the researcher claims to have found and can't be sure that it has fixed all of them, or if they're even reproducible.

"Since the announcement, we have also conducted an internal code audit, fixed a number of other bugs and made changes to our build and QA [quality assurance] processes which should result in far sturdier code and prevent similar situations in the future," the Bitdefender representative said.

The issues in Kaspersky Lab's antivirus products that were outlined in Koret's presentation, namely the absence of ASLR in some components and a potential denial-of-service issue when scanning nested archives, are not critical to the security protection of the company's customers, a Kaspersky representative said via email. Software that is written without ASLR is not implicitly more vulnerable to exploits, but Kaspersky Lab added ASLR to the product components that were lacking it -- vlns.kdl and avzkrnl.dll -- after Koret's presentation, he said.

The archive issue where scanning of a 3MB 7-Zip file can allegedly produce a 32GB dump file could not be verified or refuted because the company has not received a detailed description of the methodology used by the researcher.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityAVGsophosFortinetsymantecantiviruspanda securitymicroworld technologiesbitdefenderf-securekaspersky labesetExploits / vulnerabilitiesDesktop securityComodoAvastAviraNCC GroupDoctor WebBKAVIKARUS Security SoftwareCOSEINC

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?