- Nov 4, 2011
- 830
At the SyScan 360 security conference in Beijing, Koret provided a simple example, saying that “most antivirus engines update via HTTP only protocols.”
Relying on the man-in-the-middle (MitM) attack, “one can install new files and/or replace existing installation files,” which “ often translates in completely owning the machine with the AV engine installed as updates are not commonly signed.”
The researcher provides a list with some vulnerabilities he found when testing his tools on reputed antivirus products. The results included heap overflows, remote vulnerabilities, integer overflows, local privilege escalation, as well as command injection possibilities.
The list of products with one or more of these glitches includes Avast, Bitdefender, Avira, AVG, Comodo, ClamAV, DrWeb, ESET, F-Prot, F-Secure, Panda, and eScan.
Relying on the man-in-the-middle (MitM) attack, “one can install new files and/or replace existing installation files,” which “ often translates in completely owning the machine with the AV engine installed as updates are not commonly signed.”
The researcher provides a list with some vulnerabilities he found when testing his tools on reputed antivirus products. The results included heap overflows, remote vulnerabilities, integer overflows, local privilege escalation, as well as command injection possibilities.
The list of products with one or more of these glitches includes Avast, Bitdefender, Avira, AVG, Comodo, ClamAV, DrWeb, ESET, F-Prot, F-Secure, Panda, and eScan.