Beware the code quality and safety of antivirus applications.
See Also: Secure Access in a Hybrid IT World
That warning is being sounded by information security researcher Joxean Koret, who works for Singapore-based security firm Coseinc.
In his spare time, Koret has been testing 17 antivirus engines and products, and he claims he's found remotely or locally exploitable vulnerabilities in 14, as documented in his July 2014 Symposium on Security for Asia Network in Singapore presentation "Breaking AV Software." His research begs the question of why antivirus vendors didn't first spot the flaws themselves.
Some Fuzzing Required
I caught up with Koret, who says he found the bugs using "Nightmare," a fuzzing testing suite he built - and christened - himself. Fuzz testing involves providing unexpected inputs - including random or invalid data - to a software program and seeing what happens. It's a favored technique for discovering ways to break an application that its developer never envisioned. Unless, of course, that developer took the time to fuzz their own application.
Antivirus vendors also reuse each other's code. In his early tests of the BitDefender kernel, for example, which is used by three other vendors, Koret found an "amazing number of bugs," at least some of which - he hypothesized - would be remotely exploitable. If so, attackers could hack third-party code in AV software to seize remote control of PCs.
But some of the bugs he found are more dangerous than others. For example, in one antivirus product, he found a remote command injection bug that can give an attacker root access to the underlying system. Hacking the software requires just one character: "It's as simple as just putting a semi-colon - and the operating system commands you want to execute - in the password field of the login page ... that's all," Koret tells me.
Security Wish List
Many business users might rightly expect a higher bug-prevention standard from their security vendors. But Koret claims too many antivirus products and engines fail to follow the following common-sense precautions:
- Use HTTPS to transmit application and antivirus signature updates;
- Digitally sign updates to prove authenticity;
- Run dangerous code in an emulator, virtual machine or sandbox - as Symantec and ClamAV do - so it can't exploit the antivirus software itself;
- Avoid giving root-level privileges to AV for scanning network packets or file contents;
- Enable ASLR and DEP, since it may be the only "security" built into security applications;
- Ditch ancient and likely buggy code designed to detect "MS-DOS era viruses, packers, protectors."
Without those features in place, a product that purports to secure systems may, in fact, be used by attackers to subvert them. As Koret asks: "Why is it harder to exploit browsers than security products?"
The answer likely comes down to time, money and expertise. "One of the problems is that AV engineers are usually just programmers/engineers, not security people," Koret tells me. "On top of that, the amount of malware AV companies must deal with makes any other task secondary."
What AV Vendors Say
To date, Koret's findings have earned him a bug bounty from Avast and accolades from Finnish anti-virus firm F-Secure, which received a related bug report from Koret in the spring of 2014. "We'd like to thank Mr. Joxean Koret for his important work, and for collaborating with us to help improve our products," says Antti Tikkanen, F-Secure's director of security response.
"All the vulnerabilities reported to us have been fixed through our normal vulnerability fix process and automatically deployed to our customers," he says. "This includes the vulnerabilities reported to us in the BitDefender engine, which we also use in some of our products."
Going forward, I hope more antivirus vendors will keep a closer eye on the quality of both their AV code and any third-party code used in their AV engines.
But the findings are a reminder that even security products may not always be entirely secure. "Do not blindly trust your AV product," says Koret, who advocates network isolation for any machine that contains an antivirus engine, and which also serves as a gateway, or facilitates network inspection or another business-critical task. He also recommends businesses audit AV engines themselves - or hire a third party - to ensure their security software isn't making them more vulnerable to would-be attackers.