Speaking at the SyScan 360 security conference in Beijing, China earlier this month, Koret explained how he had used a custom fuzzing suite to find bugs in 17 of the major antivirus engines that power antivirus software products from vendors such as Avast, Bitdefender, Avira, AVG, Comodo, ClamAV, DrWeb, ESET, F-Prot, F-Secure, Panda and eScan.
Koret's presentation slides became available (PDF) late on Monday and they claim that most anti-virus products offer too much administrator privilege, that they could be exposed to man-in-the-middle (MiTM) attacks and that they are “as vulnerable to zero-day attacks as the applications it tries to protect from.”
Most anti-virus software products are written in C or C++, run operating system drivers and support a wide range of file formats, all of which – according to the COSEINC researcher – open them up to issues such as buffer and heap overflow exploitation, local escalation of privileges and file format bugs.
He blamed human error for the possibility of ‘zero-day' flaws, pointing to insecure HTTP connections being used for updates and to the fact that updates are not cryptographically signed. He added that some software was running old code, that some firms were not conducting proper source code reviews or fuzzing, and added – such is the lack of proper signing – that MiTM attackers could insert themselves between the update server and AV software to gain access to AV programs on home and business PCs, something he said would result in hackers “completely owning [their] machine”.
For this reason, Koret urges companies to keep AV programs with additional capabilities away from the main corporate network.
The researcher added that as most AV products offer the ability to scan the network and modify or remove malicious programs; a hacker could abuse these rights and take full control of a computer if the anti-virus software was compromised.
By the time of Koret's presentation, some antivirus vendors – such as Avast and ESET – were said to have patched their software, with Avast having offered a bug bounty to identify the problems. Other larger suppliers were not notified on the assumption that they already have sizeable budgets to carry out security research.