Pierluigi Paganini December 10, 2015

Experts at enSilo have found a critical security vulnerability in various antivirus (AV) software that could be exploited by attackers to turn the AntiVirus to an attack-enabler tool.

Some of the most important security firms have had an ugly surprise, the security software they offer to their clints have been compromised by a serious vulnerability flaw that could be exploited to hack computers.

In March, the security researchers at enSilo firm discovered a serious vulnerability in the popular free antivirus engine AVG Internet Security 2015. The researchers discovered that the software was allocating memory for read, write, and execute (RWX) permissions in a predictable address. The knowledge of the memory address could be exploited by an attacker could to inject malicious code into the target system and execute it.

enSilo reported the vulnerability to AVG that promptly fixed it within a couple of days. The experts at enSilo decided to analyze other software commercialized by the principal security firms, including McAfee and Kaspersky.

They discovered that VirusScan Enterprise version 8.8 and Kaspersky Total Security 2015 were also affected by the vulnerability. Below the list of vulnerable products discovered by the experts:

For now we have found this vulnerability in the following Anti-Virus products. We’ll continue updating this list as we receive more information.

• McAfee Virus scan Enterprise version 8.8. This vulnerability appears in their Anti Malware + Add-on Modules , scan engine version (32 bit) 5700.7163 , DAT version 7827.0000 , Buffer Overflow and Access Protection DAT version 659 , Installed patches: 4. We have notified McAfee and they have silently fixed it in their patch dated Aug. 20, 2015.
• Kaspersky Total Security 2015 – 15.0.2.361 – kts15.0.2.361en_7342. We have notified Kaspersky and they have silently fixed it in their patch dated Sept. 24, 2015.
• AVG Internet Security 2015 build 5736 + Virus database 8919. As mentioned above, AVG has released their patch on March 12^th. 

The researchers plan to analyze other solutions and update the readers about the status of their security software.

“We’ll continue updating this list as we receive more information,” said Tomer Bitton, VP of research at enSilo, in a blog post.

“Given that this is a repetitive coding issue amongst Anti-Virus – an intrusive product, we believe that this vulnerability is also likely to appear in other intrusive products, non-security related, such as application-performing products.”

Other experts wrote about the security issue, Tavis Ormandy, security expert at Google, has written about a similar issue with Kaspersky software. In the blog post the hacker detailed how it is possible to exploit the security issue.

Considering the gravity of the problem and its widespread nature, enSilo has created a free checking tool called AVulnerabilityChecker to allow users checking if their machine is vulnerable.

“Considering the gravity of this issue, we created a tool – AVulnerabilityChecker – that checks whether an application running on your machine is vulnerable to this flaw. If vulnerable, AVulnerabilityChecker will not be able to tell you which application contains the flaw, but it will point out where to start the analysis.” states enSilo.

McAfee and Kaspersky have already fixed the security issue.

Pierluigi Paganini

(Security Affairs – antivirus software, Internet Root servers)