An ingenious security flaw that would emable an attacker to actively use anti-virus and anti-malware software to implant a suspicious file on a user's computer has been demonstrated by an Austrian security researcher.
The technique, however, requires the attacker to have local administrative privileges.
The researcher, Florian Bogner, disclosed the proof-of-concept after notifying the vendors.
The weakness has been dubbed 'AVGater' by Bogner.
It originally affected more than a dozen different widely used anti-virus programmes, although seven currently undisclosed anti-virus apps also suffer from the problem, he warns.
The companies that have already fixed their packages are: Emisoft, Ikarus, Kaspersky, Malwarebytes, Trend Micro, and Check Point's ZoneAlarm.
In brief, the attack involved taking advantage of the way in which anti-virus software automatically quarantines files that appear malicious, and then use a privilege mismatch vulnerability to move that file to a more dangerous location, such as the root (C:) drive, where it can be executed.
"AVGater can be used to restore a previously quarantined file to any arbitrary filesystem location. This is possible because the restore process is most often carried out by the privileged AV Windows user mode service.
"Hence, file system ACLs [Access Control Lists] can be circumvented (as they don't really count for the SYSTEM user). This type of issue is called a privileged file write vulnerability and can be used to place a malicious DLL anywhere on the system," Bogner explained.
The end result of triggering these vulnerabilities is full control of a system for a local non-admin attacker.
While the other AV companies are still working on a fix for the potential vulenerability, it's probably best for any network admins to ensure that regular users can't restore files identified as threats, which sort of sounds like common sense anyway to be honest.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software