OK…most of the possible exploits found and described by Joxean Kotek (COSEINC Singapore based security firm researcher) are pretty exotic and would need real experts to design bugs for, but some really aren’t, and worse…even when told of the bugs only a couple of companies bothered to ask how to fix them and only one (ESET) did so nicely. Apparently they expected him to supply the fixes free.
“At the SyScan 360 security conference in Beijing earlier this month, Joxean Koret claimed to have found flaws in antivirus engines found at the hearts of many major antivirus software products, including those made by Avast, Bitdefender, Avira, AVG, Comodo, ClamAV, DrWeb, ESET, F-Prot, F-Secure, Panda and eScan. Koret also documented several ways that antivirus software could be allegedly compromised or manipulated to make what should be a wall into a door.” – TomsGuide
The details are very technical, but they’re available online in pdf form.
Importantly, Malwarebytes was not tested…and so many of us use that program. That was disappointing.
Essentially, Koret some very important things (which reminds me of the_Monk’s assertions):
“antivirus programs often install with high administrator privileges, which lets them perform necessary actions such as scanning the entire and modifying or removing malicious programs. However, if a antivirus program were compromised, it would have extensive power to abuse the computer on which it was installed.” – ibid
If that’s indeed true (and it is), then the AV program actually increases the attack surface and that many more connections that can be hacked or otherwise exploited. His results show the AVs have serious flaws, even zero-day flaws…just like any other program.
Also, most AVs update via HTTP connections not digitally signed, encrypted HTTPS connections making them vulnerable to man-in-the-middle attacks where one thinks he’s downloading an update, however downloads entirely different content:
Koret stated he found various vulnerabilities in 17 major AVs. Some (such as Avast and ESET) patched their software by the time of his presentation in China…but the others allegedly had not.
So, should you be worried? Andreas Marx, CEO of AV-Test says that the vulnerabilities exist but are (currently) largely theoretical.
"Insecure code might put the user at risk, as demonstrated in the presentation. However, at the moment, such attacks are more research-oriented (proof of concept) or might be used for targeted attacks," Marx told Tom's Guide. "I'm not aware of a recent widespread virus or other malware which exploited a vulnerability in AV software." – TomsGuide
He said that because there are many AVs none of which have a commanding market share. So why pick a small target when huge ones like Java, Adobe Reader and Adobe Flash are on millions of computers in the world?
While that does make sense, something in me really is unhappy with the idea of an AV made vulnerable by poor/inadequate testing and sloppy updating protocols (among other problems). Their code should be impeccable and updating should be as secure as possible. After all, the only way they can do their purpose is by elevation of privileges.
Even worse? Why wouldn’t they pay him a reward for his work and get their butts busy on fixing the defects? To me, that kind of greed or pride goes before the fall.
So, are AVs worth it? Yes, with a good deal less enthusiasm. VPNs are looking a lot better. Common sense and good browsing habits are as well.
Maybe the_Monk will help us all with a “how to” on the subject of privileges, although a vulnerable AV would pretty much neutralize that by virtue of the fact that AVs typically assume the highest ‘privileges’.
ESET…beginning to look at you again after a long hiatus in our relationship…if only because you were polite.
Sorry if this causes sleepless nights…I didn’t sleep well last night myself.
http://www.tomsguide.com/us/antivirus-software-insecure,news-19227.html – primary.
http://www.syscan360.org/slides/2014_EN_BreakingAVSoftware_JoxeanKoret.pdf – presentation in pdf form. Should be read.