TheWindowsClub News

TheWindowsClub Tech News covers the latest Microsoft Windows 10 news, along with other products & services like Office, etc.

Serious design flaws bypassing exploit mitigations found in AVG, McAfee, Kaspersky

Popular Antivirus programs such as AVG, McAfee and Kaspersky were found to be providing easy access for malware attackers to infect PC’s with exploit mitigations. This is said to be happening because of serious design issues that they carry, as explored by Tomer Bitton, the Co-Founder & VP Research at enSilo.

AVG

The flaw is said to exist, where anti-virus products allocate memory with RWX (Read-Write-Execute) permissions in a predictable address.

Injecting the malicious code with ease

Injecting a malicious code using the above process seems to be easier than you would otherwise think. Post user-mode creation process, the affected program uses the kernel to inject a small hooking code stub and simultaneously allocates a memory page with RWX (Read-Write-Execute) permissions at a constant/predictable address.

Attackers with access to a compromised third party application can then easily copy the malicious code to the program’s allocated RWX page and execute the malicious code with ease. The exploitation can be in the form of any application be it a word file, pdf or through a browser.

Many Antivirus products could be carrying this issue

As Tomer mentions, the design flaw was first discovered in AVG in March 2015, however soon when it was tested on other anti-virus products, the result disclosed other programs with the same flaw. The effected programs discovered until now, include:

  • McAfee Virus scan Enterprise version 8.8. This vulnerability appears in their Anti Malware + Add-on Modules , scan engine version (32 bit) 5700.7163 , DAT version 7827.0000 , Buffer Overflow and Access Protection DAT version 659 , Installed patches: 4 ( the vulnerability was fixed after the company released a patch on August 20, 2015 )
  • Kaspersky Total Security 2015 – 15.0.2.361 – kts15.0.2.361en_7342 ( the vulnerability was fixed after the company released a patch on Sep 24, 2015 )
  • AVG Internet Security 2015 build 5736 + Virus database 8919. ( the vulnerability was fixed after the company released a patch on March 12, 2015 )

While the security companies have fixed the flaw, and released updates, you may want to ensure that you are running the latest available versions of your security software.

In case you would like to check if your computer is prone to exploitable constant, RWX addresses, you can use “AVulnerabilityChecker” to find the same. It is available at Github.

Updated on Tags:

AnkitGupta@TWCN

Ankit Gupta is a writer by profession and has more than 7 years of global writing experience on technology and other areas. He follows technological developments and likes to write about Windows & IT security. He has a deep liking for wild life and has written a book on Top Tiger Parks of India.

Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap