An ingenious security flaw that would emable an attacker to actively use anti-virus and anti-malware software to implant a suspicious file on a user's computer has been demonstrated by an Austrian security researcher.
The technique, however, requires the attacker to have local administrative privileges.
The researcher, Florian Bogner, disclosed the proof-of-concept after notifying the vendors.
The weakness has been dubbed 'AVGater' by Bogner.
It originally affected more than a dozen different widely used anti-virus programmes, although seven currently undisclosed anti-virus apps also suffer from the problem, he warns.
The companies that have already fixed their packages are: Emisoft, Ikarus, Kaspersky, Malwarebytes, Trend Micro, and Check Point's ZoneAlarm.
In brief, the attack involved taking advantage of the way in which anti-virus software automatically quarantines files that appear malicious, and then use a privilege mismatch vulnerability to move that file to a more dangerous location, such as the root (C:) drive, where it can be executed.
"AVGater can be used to restore a previously quarantined file to any arbitrary filesystem location. This is possible because the restore process is most often carried out by the privileged AV Windows user mode service.
"Hence, file system ACLs [Access Control Lists] can be circumvented (as they don't really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system," Bogner explained.
The end result of triggering these vulnerabilities is full control of a system for a local non-admin attacker.
While the other AV companies are still working on a fix for the potential vulenerability, it's probably best for any network admins to ensure that regular users can't restore files identified as threats, which sort of sounds like common sense anyway to be honest.
Using photocatalysts to convert carbon dioxide into usable energy such as methane or ethane
Trained on curated data from Moorfields Eye Hospital, the neural network also shows clinicians how it reached its judgement
Yokohama National University demonstrate technology that could lead to a fault-tolerant universal quantum computer
Top-of-the-range Threadripper 2990WX now available from Scan, Ebuyer, Overclockers, Novatech and Amazon