Popular Antivirus programs such as AVG, McAfee and Kaspersky were found to be providing easy access for malware attackers to infect PC’s with exploit mitigations. This is said to be happening because of serious design issues that they carry, as explored by Tomer Bitton, the Co-Founder & VP Research at enSilo.
The flaw is said to exist, where anti-virus products allocate memory with RWX (Read-Write-Execute) permissions in a predictable address.
Injecting the malicious code with ease
Injecting a malicious code using the above process seems to be easier than you would otherwise think. Post user-mode creation process, the affected program uses the kernel to inject a small hooking code stub and simultaneously allocates a memory page with RWX (Read-Write-Execute) permissions at a constant/predictable address.
Attackers with access to a compromised third party application can then easily copy the malicious code to the program’s allocated RWX page and execute the malicious code with ease. The exploitation can be in the form of any application be it a word file, pdf or through a browser.
Many Antivirus products could be carrying this issue
As Tomer mentions, the design flaw was first discovered in AVG in March 2015, however soon when it was tested on other anti-virus products, the result disclosed other programs with the same flaw. The effected programs discovered until now, include:
- McAfee Virus scan Enterprise version 8.8. This vulnerability appears in their Anti Malware + Add-on Modules , scan engine version (32 bit) 5700.7163 , DAT version 7827.0000 , Buffer Overflow and Access Protection DAT version 659 , Installed patches: 4 ( the vulnerability was fixed after the company released a patch on August 20, 2015 )
- Kaspersky Total Security 2015 – 15.0.2.361 – kts15.0.2.361en_7342 ( the vulnerability was fixed after the company released a patch on Sep 24, 2015 )
- AVG Internet Security 2015 build 5736 + Virus database 8919. ( the vulnerability was fixed after the company released a patch on March 12, 2015 )
While the security companies have fixed the flaw, and released updates, you may want to ensure that you are running the latest available versions of your security software.
In case you would like to check if your computer is prone to exploitable constant, RWX addresses, you can use “AVulnerabilityChecker” to find the same. It is available at Github.
Thanks for this tip; app downloaded as 4.5MB extractable portable, ran it on Dell originally Win8.1 upgraded/updated to moment as Windows 10 ver 1511, app ended scan saying device probably not susceptible at all; ran same app on Acer originally Win 7 upgraded/updated to moment as Windows 10 ver 1511, scan identified only browser used for “two tabs” test bits as vulnerable…yet both Windows 10 devices are 64 bit having identical security apps in place. The Dell is dual core i5, the Acer five years old and Pentium III/AMD dual core; Maybe just like some graphics apps need Windows 10 on a device with hardware supporting OpenGL 3.2 to even install (like on the Dell), one size doesn’t always perfectly fit all re Windows security updates on older 64 bit architectures?
After reading this article I used Github’s scanner and my Surface 3 Pro (Win 8.1) i7 running Webroot AV etc was reported as vulnerable.