Matousec.com is reporting that they have discovered a massive vulnerability in the kernel mode drivers installed by all the major antivirus and internet security products. Apparently, this vulnerability can be used, even by a code running on an unprivileged user account, to bypass the self-defence of the concerned security products.
The list of affected products is huge. Everyone including AVG, Avira, Avast, BitDefender, Kaspersky, McAfee, Comodo, ESET, F-Secure, GDATA, Online Armor, Panda, Sophos, ThreatFire, Trend Micro and Zone Alarm are vulnerable.
The exploit belongs to the category of argument-switch attack. In a multi-tasking environment like ours, the operating system constantly switches between processes. This switching is taken care of by the scheduler. Consider a scenario where the attacker calls system services with innocuous parameters that will definitely pass through the security checks put in place by your antivirus. Now, when the fake thread gets its time slice, it modifies the values of the parameters to malicious ones. If the order of scheduling were such that this event occurs after the security checks have been carried out by the antivirus, but before the service is called, then the attack would be successful.
The vulnerability does seem to rely a lot on chance (a particular race condition). Unfortunately, it can be exploited fairly reliably on systems with multi-core processors. This is because multiprocessing systems allow the execution of two threads from the same program simultaneously, which makes the tricky sequence of execution becomes quite unnecessary. The in-depth explanation of the vulnerability is available here.
In an official blogpost F-Secure has validated Matousec’s findings. While it confirmed that the issue is serious, F-secure stressed that this attack does not “break” all antivirus systems forever.
5 responses to “KHOBE – Security Vulnerability Found in Almost All Antivirus and Security Products”
[…] Vulnerability Found in Almost All Antivirus and Security Products Source […]
Nice post which includes about the vulnerability where all the antivrus notes them in an PC. There are many antiviruses that could stop them.
.-= yreadthisÂ´s last blog ..SMARTPHONES AT THE MARKET =-.
I found your blog page on google and read several of your other posts. i just now added you to your Google News Reader. Keep up the good work count on reading more from you in the foreseeable future.
Well, nothing is perfect and antivirus programs will have some bugs. It is more than obvious but in all cases, those security tools are essentials and very useful!
I really wondered that such major players also have security vulnerability because they make big claim of the best security out there. I have read a blog post in which there was a debate on internet security. As said previously nothing is perfect and nothing is safe on internet. Many big heads are currently putting more emphasize on safe internet browsing movement. Despite having such high security products installed, I think we need to put more rely on personal awareness before sharing anything on internet especially confidential data.