A computer science student immediately discovered 10 errors in the memory management of Bitdefender’s antivirus software. Most of them should be easy to use to inject and execute your own code. It then runs with the rights of the anti-virus software on the Windows computer concerned – i.e. with SYSTEM rights and without sandbox. In plain language: If you take advantage of these loopholes, you can get a system completely under your control with little effort.

Computer science student David L. has Bitdefender’s code analyzed for unpacking UPX-compressed files and found critical errors in almost every step. All of the bugs are not really hard to find gaps, but rather bread and butter gaps for security researchers, as can be easily found with fuzzing, for example. Almost half caused the lack of the important length check in memory operations. Tavis Ormandy, who himself has already uncovered several such gaps in AV software, promptly commented that it was “irresponsible to deliver code in this way” The finds once again confirm the fact that heise Security has already 2007 in antivirus software as a gateway that actually whenever a security researcher “knocks on anti-virus software”, critical security gaps tumble out below. That illustrated researcher 2014 again and it doesn’t seem to have fundamentally changed. Antivirus software is a potential security problem. This is all the more true the further one moves away from the mainstream – i.e. Windows Defender AV. At least Ormandy and others have already shaken it up violently and should not have such easy to find and trivial exploitable gaps.

The basic problem is that AV software has to analyze and unpack countless file formats. In many cases, the code of simple tools, such as an open source unpacker, is simply used; David L. was able to trace many of the loopholes he discovered back to the original UPX tools. But they were not written for the highest security requirements. Who, as an administrator on a productive system, will unpack a Trojan on the command line?

But that is exactly what antivirus software does: not on the command line, but automatically in the background, it unpacks every suspicious data record that passes her. With system rights! And in the case of Bitdefender, without additional shielding, such as a sandbox. An attacker only has to push his exploit code roughly in the direction of his victim – the rest happens almost automatically.

Safe after several attempts No glory either: Bitdefender often required several attempts to properly close the reported security holes. In one case, it didn’t work until the fourth patch. After all, these holes in Bitdefender have all been fixed since the beginning of November. It’ll start all over again when someone performs the next analysis function for an obscure file format.

(ju)