Flaws Found in Security Providers’ Wares

Monday, December 14, 2015 @ 06:12 PM gHale

Serious vulnerabilities found in security products could suffer from exploitation in a move to bypass Windows protection features and data exfiltration prevention, researchers said.

One vulnerability in the Malwarebytes antivirus for Windows could lead to a memory corruption on the user’s computer, which, in turn, exposes the system to situations where arbitrary code can end up executed by an attacker, said researchers at COSIG (Centre Opérationnel de Sécurité Informatique Gouvernemental).

Avast Patches AV Zero Day
Fortinet Fixes Antivirus Vulnerability
Zero Day in FireEye Antivirus
Kaspersky Fixes Antivirus Zero Day

In another vulnerability, researchers at enSilo discovered an issue in March when one of its products collided with an AVG Internet Security 2015 installation on a customer’s systems. Upon further review, researchers found the AVG product suffered from a flaw that could have ended up exploited to hack affected systems.

Later, enSilio discovered the same vulnerability, which it rated “critical,” also affected Kaspersky’s Anti-Virus 2015 MR2 and Internet Security 2015 MR2 products, and Intel Security’s McAfee VirusScan Enterprise version 8.8.

According to enSilo, the problem is related to how affected security products allocate a memory page with RWX (Read, Write, Execute) permissions at a constant predictable address. The vulnerability makes it easier for bad guys to bypass Windows protections and exploit vulnerabilities in third-party applications, such as web browsers and Adobe Reader, to compromise the underlying system in a multi-stage attack.

The company believes the issue is not limited to security solutions — it can affect any intrusive application, including performance monitoring and data leak prevention (DLP) solutions.

AVG addressed the vulnerability in March, within two days of disclosure. Intel Security said it released a patch on August 26.

Kaspersky Lab, which assigned the vulnerability a CVSS score of only 1.9, said it resolved the flaw with an auto-updated patch released September 22.

In the Malwarebytes vulnerability, discovered by Francis Provencher of the COSIG research & pentesting team based in Quebec, Canada, the vulnerability ends up triggered “when a malformed executable with an invalid integer (-1) in the ‘SizeOfRawData’ in UPX section is parsed by [the] Malwarebytes [antivirus].”

This leads to a memory corruption on the user’s computer, which, in turn, exposes the system to situations where arbitrary code can end up executed by an attacker.

Memory corruption occurs when the content of a memory location ends up unintentionally modified by programming errors, or in this case, by malicious code.

Provencher and COSIG reported the issue to Malwarebytes, the company behind Malwarebytes Anti-Malware (MBAM).

Malwarebytes, a company that entered the antivirus market in 2008 and has gained a positive reputation, responded to the finding and issued a security patch for its product in less than two days.

“A vulnerability in Malwarebytes Anti-Malware 2.2.0 was reported to us by an independent researcher,” a Malwarebytes spokesperson said. “A fix was released two days after it was reported to us and we have seen no evidence it has ever been used in the wild. We work closely with external researchers, and are grateful for the opportunity to improve our products.”