Correlate

Level 16
Verified
Cybersecurity researchers today disclosed details of security vulnerabilities found in popular antivirus solutions that could enable attackers to elevate their privileges, thereby helping malware sustain its foothold on the compromised systems.
According to a report published by CyberArk Labs today and shared with The Hacker News, the high privileges often associated with anti-malware products render them more vulnerable to exploitation via file manipulation attacks, resulting in a scenario where malware gains elevated permissions on the system.

The bugs impact a wide range of antivirus solutions, including those from Kaspersky, McAfee, Symantec, Fortinet, Check Point, Trend Micro, Avira, and Microsoft Defender, each of which has been fixed by the respective vendor.
 

Gandalf_The_Grey

Level 38
Verified
Trusted
Content Creator
A quote from the second link:
Summary
The implications of these bugs are often full privilege escalation of the local system. Due to the high privilege level of security products, an error in them could help malware to sustain its foothold and cause more damage to the organization. The exploits that were presented here are easy to implement, but also easy to patch against. We have seen that blocking symlink attacks or blocking the load of malicious DLLs require only a small touchup in the code. Knowing that, AV vendors should be able to eliminate this widespread bug class.

While each of these vulnerabilities have now been fixed, I would to specifically recognize the Kaspersky PSIRT team, who were quick to respond to the bug reports and issue a patch for the vulnerabilities.

Associated CVEs
Kaspersky CVE-2020-25045, CVE-2020-25044, CVE-2020-25043
McAfee CVE-2020-7250, CVE-2020-7310
Symantec CVE-2019-19548
Fortinet CVE-2020-9290
Checkpoint CVE-2019-8452
Trend Micro CVE-2019-19688, CVE-2019-19689 +3
Avira – CVE-2020-13903
Microsoft-CVE-2019-1161
Avast + F-Secure – Waiting for Mitre
What is so special about Kaspersky here?
They had the fastest response and patch time?
 

Andy Ful

Level 65
Verified
Trusted
Content Creator
The large-scale attacks (spam, phishing, etc.) via the AV vulnerabilities are not as profitable as simply using the Windows vulnerabilities. The AV vulnerabilities are patched much quicker. So, home users should not worry.
The situation can be worse in targeted attacks, especially when the attacker uses stealthy spyware. Such attacks can be uncovered for a long time.
 

FireHammer

Level 6
The large-scale attacks (spam, phishing, etc.) via the AV vulnerabilities are not as profitable as simply using the Windows vulnerabilities. The AV vulnerabilities are patched much quicker. So, home users should not worry.
The situation can be worse in targeted attacks, especially when the attacker uses stealthy spyware. Such attacks can be uncovered for a long time.
Hi, what if you have Syshardener instead of Hard Configurator, are you then secure?
I am asking you @Andy Ful , you made the software, you must know.:cry:
 

Andy Ful

Level 65
Verified
Trusted
Content Creator
Hi, what if you have Syshardener instead of Hard Configurator, are you then secure?
I am asking you @Andy Ful , you made the software, you must know.:cry:
H_C is much more restrictive, so one will be safer with it. But, as I have already mentioned, you have close-to-0-chances to see this for the malware which was prepared to exploit the AV.
 

FireHammer

Level 6
H_C is much more restrictive, so one will be safer with it. But, as I have already mentioned, you have close-to-0-chances to see this for the malware which was prepared to exploit the AV.
Hi, I am not totally green but almost, so I have been told that HC is not for beginners, that is why I choose Syshardener+BTS & VS Free, and my router is new and my ISP promised me it was updated all the time, I am a home user, and I am the only one with access to this PC+ I am on cable for internet.
That & common sense will go a long way, am I right?
 

FireHammer

Level 6
Did they ensure you are using the latest hardware, or the actual router firmware?

Are you able to check the firmware and verify it is the most up-to-date version against an external source?
Did they ensure you are using the latest hardware, or the actual router firmware?

Are you able to check the firmware and verify it is the most up-to-date version against an external source?
Hi, @Spawn , no I am not I am afried , I just took their word for it, my router is only six months old(technicolor), I got it because my old router also Technicolor had a chip witch was getting too hot, and could not deliver the speed I was paying for(300/50). I belive they said they kept the firmware up to date.:)
 

SpiderWeb

Level 4
If a ransomware can run from a VM, sandboxed, why can't these vendors sandbox/VM their AVs? Microsoft has proven that Windows Defender can do this but even they don't enable it by default on most machines... At the end of the day AVs are software like any other but AV vendors are the most in denial about security flaws in their own products.
 

geminis3

Level 16
Verified
Malware Tester
Most AV engines core modules are practically the same from 20 years ago, IMO 3rd party AVs increase the surface attack of Windows machines. A lockdown/default-deny protection approach it's superior but it has the clear disadvantage of limiting what the user can do on his computer so it will rarely be deployed outside of enterprise.
 
Top