New Flaws in Top Antivirus Software Could Make Computers More Vulnerable

[[correlate]]

Content source

https://thehackernews.com/2020/10/antivirus-software-vulnerabilities.html

Cybersecurity researchers today disclosed details of security vulnerabilities found in popular antivirus solutions that could enable attackers to elevate their privileges, thereby helping malware sustain its foothold on the compromised systems.
According to a report published by CyberArk Labs today and shared with The Hacker News, the high privileges often associated with anti-malware products render them more vulnerable to exploitation via file manipulation attacks, resulting in a scenario where malware gains elevated permissions on the system.

The bugs impact a wide range of antivirus solutions, including those from Kaspersky, McAfee, Symantec, Fortinet, Check Point, Trend Micro, Avira, and Microsoft Defender, each of which has been fixed by the respective vendor.

New Flaws in Top Antivirus Software Could Make Computers More Vulnerable

New Security Flaws in Top Antivirus software Could Make Your Computers More Vulnerable.

thehackernews.com

Anti-Virus Vulnerabilities: Who’s Guarding the Watch Tower?

This blog entry is a special anti-malware edition showcasing how the most common bugs security products suffer from can allow a standard user to escalate into a privileged user. What we found...

www.cyberark.com

 

[Gandalf_The_Grey]

A quote from the second link:

Summary
The implications of these bugs are often full privilege escalation of the local system. Due to the high privilege level of security products, an error in them could help malware to sustain its foothold and cause more damage to the organization. The exploits that were presented here are easy to implement, but also easy to patch against. We have seen that blocking symlink attacks or blocking the load of malicious DLLs require only a small touchup in the code. Knowing that, AV vendors should be able to eliminate this widespread bug class.

While each of these vulnerabilities have now been fixed, I would to specifically recognize the Kaspersky PSIRT team, who were quick to respond to the bug reports and issue a patch for the vulnerabilities.

Associated CVEs
Kaspersky CVE-2020-25045, CVE-2020-25044, CVE-2020-25043
McAfee CVE-2020-7250, CVE-2020-7310
Symantec CVE-2019-19548
Fortinet CVE-2020-9290
Checkpoint CVE-2019-8452
Trend Micro CVE-2019-19688, CVE-2019-19689 +3
Avira – CVE-2020-13903
Microsoft-CVE-2019-1161
Avast + F-Secure – Waiting for Mitre

What is so special about Kaspersky here?
They had the fastest response and patch time?

 

[harlan4096]

List of Advisories

List of disclosed vulnerabilities in Kaspersky products and researchers that reported them to us.

support.kaspersky.com

 

[ErzCrz]

Why I prefer Strict_Recommended setup in H_C which blocks exe and msi in userspace but I expect @Andy Ful 's Hard_Configurator already protects you from this.

 

[ErzCrz]

P.S. That Microsoft fix for this was pushed out over a year ago. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1161

 

[FireHammer]

Hi, I think it is scary as H...

 

[Andy Ful]

The large-scale attacks (spam, phishing, etc.) via the AV vulnerabilities are not as profitable as simply using the Windows vulnerabilities. The AV vulnerabilities are patched much quicker. So, home users should not worry.
The situation can be worse in targeted attacks, especially when the attacker uses stealthy spyware. Such attacks can be uncovered for a long time.

 

[FireHammer]

The large-scale attacks (spam, phishing, etc.) via the AV vulnerabilities are not as profitable as simply using the Windows vulnerabilities. The AV vulnerabilities are patched much quicker. So, home users should not worry.
The situation can be worse in targeted attacks, especially when the attacker uses stealthy spyware. Such attacks can be uncovered for a long time.

Hi, what if you have Syshardener instead of Hard Configurator, are you then secure?
I am asking you @Andy Ful , you made the software, you must know.

 

[Andy Ful]

Hi, what if you have Syshardener instead of Hard Configurator, are you then secure?
I am asking you @Andy Ful , you made the software, you must know.

H_C is much more restrictive, so one will be safer with it. But, as I have already mentioned, you have close-to-0-chances to see this for the malware which was prepared to exploit the AV.

 

[FireHammer]

H_C is much more restrictive, so one will be safer with it. But, as I have already mentioned, you have close-to-0-chances to see this for the malware which was prepared to exploit the AV.

Hi, I am not totally green but almost, so I have been told that HC is not for beginners, that is why I choose Syshardener+BTS & VS Free, and my router is new and my ISP promised me it was updated all the time, I am a home user, and I am the only one with access to this PC+ I am on cable for internet.
That & common sense will go a long way, am I right?

 

[Ink]

my router is new and my ISP promised me it was updated all the time

Did they ensure you are using the latest hardware, or the actual router firmware?

Are you able to check the firmware and verify it is the most up-to-date version against an external source?

 

[FireHammer]

Did they ensure you are using the latest hardware, or the actual router firmware?

Are you able to check the firmware and verify it is the most up-to-date version against an external source?

Did they ensure you are using the latest hardware, or the actual router firmware?

Are you able to check the firmware and verify it is the most up-to-date version against an external source?

Hi, @Spawn , no I am not I am afried , I just took their word for it, my router is only six months old(technicolor), I got it because my old router also Technicolor had a chip witch was getting too hot, and could not deliver the speed I was paying for(300/50). I belive they said they kept the firmware up to date.

 

[SpiderWeb]

If a ransomware can run from a VM, sandboxed, why can't these vendors sandbox/VM their AVs? Microsoft has proven that Windows Defender can do this but even they don't enable it by default on most machines... At the end of the day AVs are software like any other but AV vendors are the most in denial about security flaws in their own products.

 

[bayasdev]

Most AV engines core modules are practically the same from 20 years ago, IMO 3rd party AVs increase the surface attack of Windows machines. A lockdown/default-deny protection approach it's superior but it has the clear disadvantage of limiting what the user can do on his computer so it will rarely be deployed outside of enterprise.