10 Security Product Flaw Scares
CCleaner compromise puts the crown on several years' worth of headlines about cybersecurity product weaknesses.
September 22, 2017
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt9177447573d4fbad/64f0d731e0ecf18ea765e593/01-embarrassing.jpeg?width=700&auto=webp&quality=80&disable=upscale)
This week's news that a legitimate version of Avast's CCleaner tool was compromised to deliver malware offers a stark example of how damaging security tools can be when the bad guys' subvert them to act maliciously.
For several decades now, we've heard the dangers of security tools that don't properly recognize malware or malicious activities. But the last few years have flipped the script as more security researchers and black hats have discovered that many security tools can also act as a very convenient tool for compromising the enterprise.
In order to properly work, these tools usually need very high administrative privileges and typically run processes at the lowest levels of the system. This makes them a prime target for attackers.
In the past two years, a number of embarrassing zero-days have come to light that had the criminals, or cyber spies, licking their chops at the thought of the complete ownage that such flaws can afford them.
Attention on vulnerabilities within security products really started ramping up just about the time that security researcher Kristian Hermansen publicly disclosed a high-impact zero-day in FireEye's platform after waiting for action from the vendor for over 18 months on "many handfuls" of 0days he'd discovered. The disclosure in question was a login bypass that would give attackers root access on affected systems.
Just a few months after the FireEye discovery, security researchers from enSilo kept the momentum going with news that software from AVG, Intel, McAfee, and Kaspersky Lab, all suffered from a flaw in how they allocate memory, which essentially allowed attackers to convert these AV systems into an attack tool against other applications.
That memory allocation flaw was followed up within days by a big bombshell that Juniper firewalls were being shipped to customers with an authentication backdoor written directly into the product's source code. The backdoor was present for two years prior to discovery.
The hits kept coming for security vendors in 2016, with Trend Micro in particular getting pummeled througout the year. The piling on began with research done by Google Project Zero researcher Tavis Ormandy that found a flaw in Trend's password manager that allowed arbitrary command execution with a trivial amount of work. It was a vuln he called "ridiculous" at the time. Meanwhile, researchers kept going to the Trend Micro well. Over the course of six months, researchers Roberto Suggi Liverani and Steven Seeley said they found nearly 200 remotely exploitable vulnerabilities in Trend products that could all be triggered without any user interaction.
Trend Micro was far from the only vendor in the cross-hairs last year. In fact, one series of vulnerabilities in 24 Symantec products also found by Ormandy were so bad they spurred US-CERT to issue an advisory for customers to protect themselves from an attack that could result in the bad guys from achieving root privileges through a remote attack.
At last year's Black Hat USA conference, the researchers at enSilo were at it again. They found a flaw in the way that prominent AV and security products' hooking engines interacted with systems that essentially gave attackers a clear way to bypass the security controls of the underlying operating system. The flaws impacted AVG, Kaspersky Lab, McAfee, Symantec, Trend Micro, Bitdefender, Webroot, Avast, and Vera.
It may not have been a flaw in security products per se, but a popular attack discovered early this year showed how a little jiggery pokery could be used to essentially turn AV products into malware. Dubbed DoubleAgent, the attack took advantage of a Windows tool called Microsoft Application Verifier to inject malicious code into AV and essentially masquerade malware as AV within an affected system.
This spring, Microsoft's Malware Protection Engine was ground zero for another extremely critical remote code execution flaw that triggered a US-CERT alert and got Microsoft to issue an out-of-band patch. It was discovered by none other than Ormandy - who called it a "crazy bad" vuln - and his Project Zero colleague Natalie Silanovich. The proof-of-concept attack they came up with only took a website delivering a specially crafted file to set off a memory corruption bug.
Meantime, Black Hat USA this year also featured several talks on security product vulnerabilities. Among the highlights was a technique developed by SafeBreach researchers that made it possible to use cloud-enhanced AV agents as a vehicle for exfiltrating data out of the network, even on air-gapped systems.
This week's news that a legitimate version of Avast's CCleaner tool was compromised to deliver malware offers a stark example of how damaging security tools can be when the bad guys' subvert them to act maliciously.
For several decades now, we've heard the dangers of security tools that don't properly recognize malware or malicious activities. But the last few years have flipped the script as more security researchers and black hats have discovered that many security tools can also act as a very convenient tool for compromising the enterprise.
In order to properly work, these tools usually need very high administrative privileges and typically run processes at the lowest levels of the system. This makes them a prime target for attackers.
In the past two years, a number of embarrassing zero-days have come to light that had the criminals, or cyber spies, licking their chops at the thought of the complete ownage that such flaws can afford them.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024