Predictable: How AV flaw hit Microsoft's Windows defences

An ecosystem issue explained

Could it be that time spent by Microsoft on software security counts for naught?

Possibly - based on the findings of an investigation by enSilo that found some of the best-known AV names are susceptible to new vulnerabilities.

The results are alarming, suggesting an entire of ecosystem unwittingly opening a back door into systems for hackers and malware writers.

But what exactly is the problem and what's the cause? We reported the breaking story here, but what are the details?

Well, the core problem stems from anti-virus products allocating a memory page write permissions at a fixed, predictable address.

enSilo cottoned on to the problem at a customer site in March 2015, after it investigated a snag involving its data exfiltration prevention platform and security technology from AVG, also installed in the customer’s environment.

An investigation by enSilo revealed a flaw in AVG Internet Security which effectively enabled a threat actor to exploit old vulnerabilities in a third party application (such as Acrobat Reader) in order to compromise the underlying Windows system. enSilo disclosed this issue to AVG, which promptly patched the vulnerability.

Follow-up research by enSilo has revealed that versions and builds of other anti-virus tools from Kaspersky and Intel Security are vulnerable to similar collisions.

The connecting issue was the use of that combination of memory page and predictable address.

This practice runs contrary to various security attack mitigation technologies Microsoft has introduced into Windows, namely the randomisation of memory (ASLR - Address space layout randomization) and preventing data from running in memory (DEP - Data Execution Prevention). Since the memory page allocated by antivirus-packages is at a constant predictable address, an attacker or hacking group can know where to write and run exploit code, potentially defeating Microsoft’s attack mitigation tools in the process.

The security flaw at play is serious, but less than critical. If present the bug bypasses mitigation, but it doesn't allow for code execution by itself. “If someone runs a five year old Adobe Reader then what AV you run and whether it helps an attacker bypass ASLR isn't your biggest concern,” an independent expert (who asked not to be quoted) told El Reg.

According to enSilo the issue arise with various versions of particular anti-virus packages, as listed below:

  • McAfee Virus scan Enterprise version 8.8. The security snag crops up in the Anti Malware + Add-on Modules, scan engine version (32 bit) 5700.7163, DAT version 7827.0000, Buffer Overflow and Access Protection DAT version 659. enSilo states this issue is yet to be resolved - a claim firmly denied by Intel Security, which said it patched the bug in late August.
  • Kaspersky Total Security 2015 - - kts15.0.2.361en_7342. Kaspersky silently fixed the issue with a patch dated 24 September, according to enSilo.
  • AVG Internet Security 2015 build 5736 + Virus database 8919. AVG patched the bug on 12 March.

Intel Security and Kaspersky are yet to respond to El Reg’s request for comment on the issue.

“Multiple AVs providing ways to bypass DEP and ASLR - does not inspire confidence. Glad at least AVG patched quickly,” security blogger Kurt Wismer told El Reg.

Although enSilo suggests multiple other anti-virus packages and even other classes of security products might be vulnerable it hasn’t verified this itself, an omission criticised by some security observers we spoke to as potentially alarmist. “They're slagging off a whole industry based on three products having issues,” one experts told us. “The problem with these over-the-top reports is that it doesn't mean they are wrong, but it's really hard to tell among a lot of FUD.”

Instead of checking the issue itself enSilo has put together a free checking utility called AVulnerabilityChecker which it has uploaded to GitHub.

Independent tests using the tool by Simon Edwards, technical director at Dennis Technology Labs, an experienced antivirus tester and chairman of the Anti-Malware Testing Standards Organization, suggest that products from Symantec and BitDefender (among others) might be vulnerable. Security products from Microsoft and others avoid the problem, according to preliminary testing.

“We used that vulnerability scanner to check 22 anti-malware products, including a lot that we regularly test,” Edwards told El Reg. “We found that 12 were ‘likely to be vulnerable.”

Exploiting the vulnerability is far from a theoretical risk, according to enSilo. It argues that Tavis Ormandy from Google’s Project Zero exploited a vulnerability in Kaspersky’s technology back in September that he uncovered through fuzzing. All this really proves is that security products have flaws too, we'd counter-argue.

“These types of vulnerabilities clearly demonstrate the problems in the security eco-system. On the one hand, Microsoft invests loads of resources in defences, mitigations and enhancements to strengthen its system against compromise… [but] vulnerable third party applications can lead to the compromise of these same defences,” Tomer Bitton, VP of research at enSilo, argues in a blog post. ®

Broader topics

Other stories you might like

  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMEs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading

Biting the hand that feeds IT © 1998–2022