Researchers from a well-known lab have revealed an alarming piece of information about antivirus products. We all know that there are certain vulnerabilities associated with any type of antivirus program. According to the famous laboratory under discussion, such vulnerabilities are being misused to disable the functions of the antivirus software. In some cases, the flaws in the antivirus products are exploited to force the operating system to become unusable.
The primary purpose of any antivirus program is to perform a real-time scan of the files that are stored on your system. If the program detects any suspicious files, it will move them to a secure location. Then, these files will be quarantined. In certain other situations, they will be deleted from the system.
The major issue with the above procedure is that there is always a small time window between the file scan and the cleanup operation.
Yet another basic trait of almost all antivirus software is that they perform operations with the highest level of authority within an operating system. Whenever file operations are done with the highest authority, the situation will invite a host of security vulnerabilities and race conditions.
Now, what exactly is a race condition?
A race condition is nothing but a situation that is created when a system tries to perform two or more functions. In most cases, the situation will be undesirable. Due to the characteristic feature of the system, the functions that it tries to do have to be carried out in a proper sequence if they are to be done correctly. Shortly put, a race condition happens when a system depends on the timing of two or more processes to operate correctly.
The “system” in the above concept could be any software.
Coming back to our antivirus software, we were talking about the small time window that exists between any file scan and the cleanup operation. In this time window, a harmful local user or any malicious software may perform a race condition. The malicious software will then utilize the race condition to do any one of the following:
The common blunder that antivirus software vendors make is not taking the small time window into consideration. Malware authors do not need anything else to make their tactics work. One tiny flaw, and the rest is history!
Researchers from the famous lab state that the attacks can be made in Windows through a directory junction. In Mac and Linux, a symlink (or symbolic link) can be used to perform the attacks. They have added that they were able to delete critical files associated with the antivirus software when they tested all three operating systems. They could also remove some of the key operating system files, which ultimately led to the need for a complete installation of the OS.
In the researchers’ opinion, the flaws that they unearthed could be easily exploited by what they called “seasoned” malware authors. In certain antivirus software, precise timing was found to be necessary for the attacks. For instance, these malware authors have to figure out when exactly to perform the directory junction (Windows) or the symlink (Mac and Linux). If they do it one second too early or a second too late, the exploit will fail to work.
However, in many others, time was not a factor at all. To make the antivirus program destruct itself, a simple loop statement of running the exploit repeatedly was the only essential thing.
People from the lab have published proof of the attacks along with a list of antivirus software that were vulnerable to those attacks. After this alert, antivirus vendors started patching their products.
All the antivirus vendors will now focus more on analyzing the ways in which file operations take place under the user-accessible directories. The lab researchers conclude by emphasizing that whatever the operating system, it is crucial that the file operations take place with the lowest level of authority so that the attacks can be avoided.