Jump to content
Login new information ×
Login new information

Security wares like Kaspersky AV can make you more vulnerable to attacks

Reefa

By Reefa
in Security & Privacy News

Recommended Posts

Reefa

Reefa

Posted
Posted

kaspersky-av-exploit-640x363.png

Enlarge / A screenshot showing proof-of-concept exploit code working against Kaspersky antivirus software.

Antivirus applications and other security software are supposed to make users more secure, but a growing body of research shows that in some cases, they can open people to hacks they otherwise wouldn't be vulnerable to.

The latest example is antivirus and security software from Kaspersky Lab. Tavis Ormandy, a member of Google's Project Zero vulnerability research team, recently analyzed the widely used programs and quickly found a raft of easy-to-exploit bugs that made it possible to remotely execute malicious code on the underlying computers. Kaspersky has already fixed many of the bugs and is in the process of repairing the remaining ones. In a blog post published Tuesday, he said it's likely he's not the only one to know of such game-over vulnerabilities.

"We have strong evidence that an active black market trade in antivirus exploits exists," he wrote, referring to recent revelations that hacked exploit seller Hacking Team sold weaponized attacks targeting antivirus software from Eset.

He continued: "Research shows that it’s an easily accessible attack surface that dramatically increases exposure to targeted attacks. For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software. Ignoring the question of efficacy, attempting to reduce one’s exposure to opportunistic malware should not result in an increased exposure to targeted attacks."

As Ormandy suggested, the bugs he found in Kaspersky products would most likely be exploited in highly targeted attacks, such as those the National Security Agency might carry out against a terrorism suspect or spies pursuing an espionage campaign might carry out against the CEO of a large corporation. That means most people are probably better off running antivirus software than foregoing it, at least if their computers run Windows. Still, the results are concerning because they show that the very software we rely on to keep us safe in many cases makes us more vulnerable.

Kaspersky isn't the only security software provider to introduce bugs in their products. Earlier this month, security researcher Kristian Erik Hermansen reported finding four vulnerabilities in the core product marketed by security firm FireEye. One of them made it possible for attackers to retrieve sensitive password data stored on the server running the program. Ormandy has also uncovered serious vulnerabilities in AV software from Sophos and Eset.

In a statement, Kaspersky Lab officials wrote, "We would like to assure all our clients and customers that vulnerabilities publicly disclosed in a blogpost by Google Project Zero researcher, Mr. Tavis Ormandy, have already been fixed in all affected Kaspersky Lab products and solutions. Our specialists have no evidence that these vulnerabilities have been exploited in the wild."

The statement went on to say that Kaspersky Lab developers are making architectural changes to their products that will let them better resist exploit attempts. One change included the implementation of stack buffer overflow protection, which Ormandy referred to as "/GS" in his blog post. Other planned changes include the expansion of mitigations such as address space layout randomization and data execution prevention (for much more on these security measures see How security flaws work: The buffer overflow by Ars Technology Editor Peter Bright). Ormandy thanked Kaspersky Lab for its "record breaking response times" following his report.

Still, the message is clear. To perform, security software must acquire highly privileged access to the computers they protect, and all too often this sensitive position can be abused. Ormandy recommended that AV developers build security sandboxes into their products that isolate downloaded files from core parts of the computer operating system.

"The chromium sandbox is open source and used in multiple major products," he wrote. "Don't wait for the network worm that targets your product, or for targeted attacks against your users, add sandboxing to your development roadmap today."

arstechnica.com

Link to comment
Share on other sites
  • Replies 14
  • Views 1.4k
  • Created
  • Last Reply
D1v1n3D

D1v1n3D

Posted
Posted

no supprise here behind closed doors they are the virus creators how else to sell a product that didn't even exist back when. Norton and Mcaffee were already busted by this but they blamed their employees and they were fired and arrested they were the fall people for the real people making the decisions for the company just like planned parenthood it goes all the way to the top the ones that make the most money in the company are to blame one way or another.

Link to comment
Share on other sites
Cereberus

Cereberus

Posted
Posted

so is eset innocent in all of this ? why their name pop up o_o;

it's rumored that kaspersky have ties with hackers... hence how they tend to detect 0 days first usually because of this connection.

Link to comment
Share on other sites
davmil

davmil

Posted
Posted

no supprise here behind closed doors they are the virus creators how else to sell a product that didn't even exist back when. Norton and Mcaffee were already busted by this but they blamed their employees and they were fired and arrested they were the fall people for the real people making the decisions for the company just like planned parenthood it goes all the way to the top the ones that make the most money in the company are to blame one way or another.

As an old-timer to watch the fall & disgrace of Peter Norton's Utilities and AV from the days when it, like Mace, were part of everyone's toolbox to the outsourced POS it is today is both tragic and disheartening. One can only hope Symantec reaps just what it sews and disappears down the hole they ran the company into.

Link to comment
Share on other sites
Roy W

Roy W

Posted
Posted

Seems as if no security software is to be trusted if one reads this article by F3dupsk1Nup.

We the users of security software should therefore,because our private information is possibily being seen by others,have the right to sue these people,if it can be proved that we are vunerable to attacks and we are not protected by using their software.

Link to comment
Share on other sites
Cereberus

Cereberus

Posted
Posted

found some additional info

Kaspersky was not the only antivirus found to be lacking in its defences. Both ESET and Sophos have been discovered to have exploits that could be used against the system. Ormandy has not looked into other security software providers yet, but has promised to examine them in the future.

Fortunately for Kaspersky users, the company has responded quickly to Ormandy’s revelations and is in the processor of making architectural changes to its products to better resist exploits.

While Kaspersky, and presumably other antivirus vendors, are taking the threats seriously, it is an unsettling thought to know that our computer defences can be used as an additional attack vector. That is not to say that everyone should uninstall their antivirus, computers are still less likely to be infected by malware without the additional layer of protection. Rather, it looks like the vendors will have to pay more attention to what they are doing and be extra vigilant about any potential exploits in their work.

http://googleprojectzero.blogspot.my/2015/09/kaspersky-mo-unpackers-mo-problems.html

Link to comment
Share on other sites
Holmes

Holmes

Posted
Posted

All software is vulnerable to attacks not just antivirus software. All of you use windows Im predicting and therefore using windows you make yourself vulnerable (whats most vulnerable the operating system or the security software) using antivirus software is better than no security protection at all and the vulnerable attacks that attack mostly are drive-by downloads that attack vulnerabilities in adobe flash java and javascript. Pretty much all exploit kits attack those applications and not saying they dont try to shut down security products to they typically target exploits in the operating system or browser plugins. These exploits are being discovered by tavis ormandy who is a whitehat and is part of project zero which is a positive deal not a negative one. I would want to hear this from googles project zero then see it being exploited by black hats in the wild in this situation its a whitehat we are fine.

Link to comment
Share on other sites
Reefa

Reefa

Posted
  • Author
Posted

Is that mean Eset is not good av now ? :huh:

What it means is don't use an AV..

Link to comment
Share on other sites
Cereberus

Cereberus

Posted
Posted

Is that mean Eset is not good av now ? :huh:

What it means is don't use an AV..

no... that can't be right >_<:

i think what it means is, maybe these avs that were flagged, current users of these specific brands ought to reconsider an alternative for now.

because if the av itself is exploitable, allowing remote access, then it totally defeats the purpose of using it. Heck, a lower detection rate would be even more preferable to this sort of major oversight.

but then again i did link a changelog that may be referencing the specific exploit they were talking about in that study. seems to be fixed :secret:

on separate matter though, why is it that eset does not score as highly as avira, kaspersky and bitdefender for a while now ?

https://www.av-test.org/en/antivirus/home-windows/

but even then these other brands have their own downsides

- bitdefender

* it bundles everything found malicious into one category. If i'm not mistaken, this meant that you couldn't see the location of the files separately to know from what app location they were from (someone who actually uses this plz clarify). i much preferred the eset way in how it showed the malicious files so i know which are false positives. That said bitdefender is famous for their engine, and other apps access their engine ....

- avira

*heard it's weaksauce against zero day stuff....

-Kaspersky

*rumors swirling around that they do all sorts of....stuff that is just plain nasty and not in the consumers best interest.

Link to comment
Share on other sites
Holmes

Holmes

Posted
Posted

There are three major antivirus testing sites virus bulletin av-test and av-comparitives they all test differently eset is considered the best antivirus by virus bulletin most passes with minimal false positives wild list misses. For your information bitdefender uses avasts engine.

Link to comment
Share on other sites
Cereberus

Cereberus

Posted
Posted

There are three major antivirus testing sites virus bulletin av-test and av-comparitives they all test differently eset is considered the best antivirus by virus bulletin most passes with minimal false positives wild list misses. For your information bitdefender uses avasts engine.

i was only aware of av-test. didn't realize there was av-comparitives, i'll check that one out thank you :notworthy:

by the way the result i was referring to was from av-test 2014-2015

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...