Security specialists from CyberArk Labs revealed research finding multiple security vulnerabilities in various antivirus solutions. Abuse of these weaknesses could allow threat actors to infect with affected systems.
It should be remembered that antivirus solutions require high privileges for their execution, so exploiting any of these flaws would allow malicious hackers to obtain elevated permissions to deploy subsequent attacks. According to the report, these flaws affect all kinds of developers of anti-malware solutions such as Kaspersky, McAfee, Fortinet, Symante, Check Point, among others. Most of these companies have already corrected these flaws.
One of the main causes of these failures is the default DACLs in the C:-ProgramData directory. On Windows systems, applications use the ProgramData directory to store data, so any user has read and write permissions to ProgramData instead of %LocalAppData%, which can be accessed by the currently logged-on user.
A threat actor could exploit these failures to delete files from arbitrary locations, in addition to the ability to perform a privilege escalation when a non-privileged process creates a folder in ProgramData that could be accessed via a vulnerable antivirus solution. The list of all affected solutions is shown below:
- Kaspersky
- McAfee
- Symantec
- Fortinet
- Check Point
- Trend Micro
- Avira
- Microsoft
- Avast + F-Secure
Experts also mentioned that, in the case of McAfee antivirus, the installer runs after creating the “McAfee” folder, so the standard user has full control over the directory, in other words, the local user might get elevated permissions through a symbolic link attack. Experts also reported DLL hijacking flaws in Trend Micro, Fortinet and other antivirus solutions that could allow attackers to run a malicious DLL after placing it in the application directory and raising privileges.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.