It's generally accepted that antivirus programs provide a necessary protection layer, but organizations should audit such products before deploying them on their systems because many of them contain serious vulnerabilities, a researcher warned.
According to Joxean Koret, a researcher at Singapore security firm Coseinc, antivirus programs are as vulnerable to attacks as the applications they're trying to protect and expose a large attack surface that can make computers even more vulnerable.
[ It's time to rethink security. Two former CIOs show you how to rething your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Koret spent the last year analyzing antivirus products and their engines in his spare time and claims to have found dozens of remotely and locally exploitable vulnerabilities in 14 of them. The vulnerabilities ranged from denial-of-service issues to flaws that allow potential attackers to elevate their privileges on systems or to execute arbitrary code. Some bugs were located in antivirus engines -- the core parts of antivirus products -- and some in various other components.
Koret presented his findings at the SysScan 360 security conference earlier this month.
"Exploiting AV engines is not different to exploiting other client-side applications," the researcher said in his presentation slides. They don't use any special self-protections and rely on anti-exploitation technologies in the OS like ASLR (address space layout randomization) and DEP (data execution prevention); and sometimes they even disable those features, he said.
Because antivirus engines typically run with the highest system privileges possible, exploiting vulnerabilities in them will provide attackers with root or system access, Koret said. Their attack surface is very large, because they must support a long list of file formats and file format parsers typically have bugs, he said.
According to the researcher, another issue is that some antivirus products don't digitally sign their updates and don't use encrypted HTTPS connections to download them, which allows man-in-the-middle attackers to inject their own malicious files into the traffic that would get executed.
During his SysScan talk, Koret disclosed vulnerabilities and some other security issues, like the lack of ASLR protection for some components, in antivirus products from Panda Security, Bitdefender, Kaspersky Lab, Eset, Sophos, Comodo, AVG, Ikarus Security Software, Doctor Web, MicroWorld Technologies, BKAV, Fortinet and ClamAV. However, he also claimed to have found vulnerabilities in the Avira, Avast, F-Prot and F-Secure antivirus products.
Koret did not report the issues he found to all affected vendors, because he thinks that vendors should audit their own products and run bug bounty programs to attract independent research. Some of his other recommendations for vendors include using programming languages "safer" than C and C++, not using the highest privileges possible when parsing network packets and files because "file parsers written in C/C++ code are very dangerous," running potentially dangerous code in emulators or sandboxes, using SSL and digital signatures for updates and removing code for old very threats that hasn't been touched in years.
The researcher confirmed in his presentation slides that some of the vulnerabilities he found had been fixed.