Slashdot Mirror

← Back to Stories (view on slashdot.org)

How AV Can Open You To Attacks That Otherwise Wouldn't Be Possible (arstechnica.com)

Posted by msmash on from the ain't-nobody-signed-up-for-that dept.

Antivirus suites expose a user's system to attacks that otherwise wouldn't be possible, a security researcher reported on Friday. From a report: On Friday, a researcher documented a vulnerability he had found in about a dozen name-brand AV programs that allows attackers who already have a toehold on a targeted computer to gain complete system control. AVGater, as the researcher is calling the vulnerability, works by relocating malware already put into an AV quarantine folder to a location of the attacker's choosing. Attackers can exploit it by first getting a vulnerable AV program to quarantine a piece of malicious code and then moving it into a sensitive directory such as C:\Windows or C:\Program Files, which normally would be off limits to the attacker. Six of the affected AV programs have patched the vulnerablity after it was privately reported. The remaining brands have yet to fix it, said Florian Bogner, a Vienna, Austria-based security researcher who gets paid to hack businesses so he can help them identify weaknesses in their networks. Bogner said he developed a series of AVGater exploits during several assignments that called for him to penetrate deep inside customer networks. Using malicious phishing e-mails, he was able to infect employee PCs, but he still faced a significant challenge. Because company administrators set up the PCs to run with limited system privileges, Bogner's malware was unable to access the password database -- known as the Security Account Manager -- that stored credentials he needed to pivot onto the corporate network.

2 of 34 comments (clear)

  1. A collection of exploits working together by Opportunist · · Score: 4, Insightful

    I know it's quite common to bash Antivirus, from "they create the viruses themselves to create a market" to "they are snakeoil anyway", so the headline is very Slashdot-y, but please realize that this is exploitable because three things come together:

    1. The way Windows symlinks is FUBAR.
    2. There are STILL programs that simply go by the logic of "let's just load every DLL in this directory".
    3. A program (in this case an AV tool) allows to "restore" files into a directory, does not double check where that ends up and has admin privileges.

    You can probably get the same effect with backup programs.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:A collection of exploits working together by Baron_Yam · · Score: 3, Insightful

      The way Windows handles installing and removing programs is insane. The way programs handle what security Windows offers is insane. But as a platform, Windows was originally designed for 'easy' not 'good', and it did an adequate job of standardizing program UIs, and then providing a standard interface to devices.

      After that, of course, Microsoft (and everyone else) discovered that you could force users onto the upgrade treadmill by changing the standards over time and killing backwards compatibility. And now they have enough of the business desktop market not to care.

      Whee!