Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/8/2015
06:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Known Security Flaw Found In More Antivirus Products

A vulnerability discovered earlier this year in AVG software also spotted in Intel McAfee, Kaspersky Lab AV products.

Turns out a vulnerability discovered earlier this year in antivirus software from AVG also was present in AV software products from Intel McAfee and Kaspersky Lab.

The security bug --  which researchers at enSilo in March reported in AVG's Internet Security 2015 build 5736 and virus database 8919  -- centers around how the AV products in question allocate memory for read, write, and execute purposes.

The AV products use "predictable" addresses that in turn could allow malware to exploit vulnerable, out-of-date third-party Windows applications for nefarious purposes. That effectively bypasses the AV system and makes it easier for bad guys to exploit vulnerable browsers or Adobe Reader, for example, to hack a Windows machine. enSilo today disclosed that this fall, it found the flaw in Kaspersky Lab'sKaspersky Total Security 2015 - 15.0.2.361 - kts15.0.2.361en_7342 and McAfee's Virus Scan Enterprise version 8.8, including in its Anti Malware + Add-on Modules, Scan Engine version (32 bit) 5700.7163, DAT version 7827.0000, Buffer Overflow and Access Protection DAT version 659, after building its own tool to test AV products for the flaw.

Both Kaspersky Lab and Intel McAfee have patched the flaw in their respective products -- AVG fixed its bug just days after enSilo alerted the company -- but enSilo says the vulnerability could well exist in other software such as data leak prevention and performance monitoring products.

The flaw can only be exploited in Windows XP, Vista, and 7 machines. "The problem exists in Windows 8, but Microsoft saves them from the vulnerability because the … address is randomized," says Tomer Bitton, co-founder and vice president of research at enSilo.

Bitton says the critical bug basically converts AV  into a tool for an attacker. enSilo today also released a free tool for companies and vendors to test whether their security products contain the bug.

"The problem is injection of code from the kernel to user mode," Bitton says. Fixing the bug entails the AV vendors changing permissions in the memory space, he says, limiting it to read and eliminating the "write" capability.

"The attacker doesn't need to bypass it [AV with this bug]. They have the address inside memory, and copying code inside the memory base in AV that it has allocated. It's very easy" to exploit, he says.

Intel issued a patch for its products in August. "Intel Security takes the integrity of our products very seriously. Upon learning of this particular issue, we quickly evaluated the researchers' claims and took action to develop and distribute a solution addressing it. This solution was distributed to customers  in a patch on August 20, 2015," an Intel McAfee spokesperson said in emailed comments.

Kaspersky Lab fixed the bug in September, and says the vulnerability can't be exploited without the presence of a vulnerable third-party Windows application as well, such as a stack-based buffer overflow bug. "The allocation of Read/Write/Execute (RWX) memory by Kaspersky Lab solutions at predictable addresses could be used by exploits to facilitate ROP attack technique," according to a Kaspersky Lab spokesperson in an email exchange. "The vulnerability couldn’t be exploited by itself with code execution and privilege escalation, but could have simplified the exploitation of third party application vulnerabilities, such as stack based buffer-overflow.

So far, neither enSilo nor the other security firms have seen signs of the bug being exploited in the wild.

But enSilo points out that Google's Tavis Ormandy in September was able to exploit a similar bug in Kaspersky's software using the flaw enSilo uncovered.

"These types of vulnerabilities clearly demonstrate the problems in the security eco-system. On the one hand, Microsoft invests loads of resources in defenses, mitigations and enhancements to strengthen its system against compromise. On the other hand, there’ll always be some oversight in applications. Unfortunately, it’s precisely vulnerable third party applications which can lead to the compromise of these same defenses," enSilo wrote in a blog post today.

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29040
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
CVE-2021-29041
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
CVE-2021-29047
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
CVE-2021-22668
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
CVE-2021-29039
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.