Predictable: How AV flaw hit Microsoft's Windows defences
An ecosystem issue explained
Could it be that time spent by Microsoft on software security counts for naught?
Possibly - based on the findings of an investigation by enSilo that found some of the best-known AV names are susceptible to new vulnerabilities.
The results are alarming, suggesting an entire of ecosystem unwittingly opening a back door into systems for hackers and malware writers.
But what exactly is the problem and what's the cause? We reported the breaking story here, but what are the details?
Well, the core problem stems from anti-virus products allocating a memory page write permissions at a fixed, predictable address.
enSilo cottoned on to the problem at a customer site in March 2015, after it investigated a snag involving its data exfiltration prevention platform and security technology from AVG, also installed in the customer’s environment.
An investigation by enSilo revealed a flaw in AVG Internet Security which effectively enabled a threat actor to exploit old vulnerabilities in a third party application (such as Acrobat Reader) in order to compromise the underlying Windows system. enSilo disclosed this issue to AVG, which promptly patched the vulnerability.
Follow-up research by enSilo has revealed that versions and builds of other anti-virus tools from Kaspersky and Intel Security are vulnerable to similar collisions.
The connecting issue was the use of that combination of memory page and predictable address.
This practice runs contrary to various security attack mitigation technologies Microsoft has introduced into Windows, namely the randomisation of memory (ASLR - Address space layout randomization) and preventing data from running in memory (DEP - Data Execution Prevention). Since the memory page allocated by antivirus-packages is at a constant predictable address, an attacker or hacking group can know where to write and run exploit code, potentially defeating Microsoft’s attack mitigation tools in the process.
The security flaw at play is serious, but less than critical. If present the bug bypasses mitigation, but it doesn't allow for code execution by itself. “If someone runs a five year old Adobe Reader then what AV you run and whether it helps an attacker bypass ASLR isn't your biggest concern,” an independent expert (who asked not to be quoted) told El Reg.
According to enSilo the issue arise with various versions of particular anti-virus packages, as listed below:
- McAfee Virus scan Enterprise version 8.8. The security snag crops up in the Anti Malware + Add-on Modules, scan engine version (32 bit) 5700.7163, DAT version 7827.0000, Buffer Overflow and Access Protection DAT version 659. enSilo states this issue is yet to be resolved - a claim firmly denied by Intel Security, which said it patched the bug in late August.
- Kaspersky Total Security 2015 - 18.104.22.1681 - kts22.214.171.1241en_7342. Kaspersky silently fixed the issue with a patch dated 24 September, according to enSilo.
- AVG Internet Security 2015 build 5736 + Virus database 8919. AVG patched the bug on 12 March.
Intel Security and Kaspersky are yet to respond to El Reg’s request for comment on the issue.
“Multiple AVs providing ways to bypass DEP and ASLR - does not inspire confidence. Glad at least AVG patched quickly,” security blogger Kurt Wismer told El Reg.
Although enSilo suggests multiple other anti-virus packages and even other classes of security products might be vulnerable it hasn’t verified this itself, an omission criticised by some security observers we spoke to as potentially alarmist. “They're slagging off a whole industry based on three products having issues,” one experts told us. “The problem with these over-the-top reports is that it doesn't mean they are wrong, but it's really hard to tell among a lot of FUD.”
Instead of checking the issue itself enSilo has put together a free checking utility called AVulnerabilityChecker which it has uploaded to GitHub.
Independent tests using the tool by Simon Edwards, technical director at Dennis Technology Labs, an experienced antivirus tester and chairman of the Anti-Malware Testing Standards Organization, suggest that products from Symantec and BitDefender (among others) might be vulnerable. Security products from Microsoft and others avoid the problem, according to preliminary testing.
“We used that vulnerability scanner to check 22 anti-malware products, including a lot that we regularly test,” Edwards told El Reg. “We found that 12 were ‘likely to be vulnerable.”
Exploiting the vulnerability is far from a theoretical risk, according to enSilo. It argues that Tavis Ormandy from Google’s Project Zero exploited a vulnerability in Kaspersky’s technology back in September that he uncovered through fuzzing. All this really proves is that security products have flaws too, we'd counter-argue.
“These types of vulnerabilities clearly demonstrate the problems in the security eco-system. On the one hand, Microsoft invests loads of resources in defences, mitigations and enhancements to strengthen its system against compromise… [but] vulnerable third party applications can lead to the compromise of these same defences,” Tomer Bitton, VP of research at enSilo, argues in a blog post. ®