Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Flaw Found in AVG, McAfee, Kaspersky Products

A serious vulnerability found in several security products could have been exploited by malicious actors to bypass Windows protection features, data exfiltration prevention firm enSilo reported.

A serious vulnerability found in several security products could have been exploited by malicious actors to bypass Windows protection features, data exfiltration prevention firm enSilo reported.

Researchers discovered the vulnerability in March when an enSilo product collided with an AVG Internet Security 2015 installation present on a customer’s systems. A closer analysis revealed that the AVG product had been plagued by a flaw that could have been exploited to hack affected systems.

enSilo later discovered that the same vulnerability, which it rated “critical,” also affected Kaspersky’s Anti-Virus 2015 MR2 and Internet Security 2015 MR2 products, and Intel Security’s McAfee VirusScan Enterprise version 8.8.

According to enSilo, the problem is related to how affected security products allocate a memory page with RWX (Read, Write, Execute) permissions at a constant predictable address. Experts say the vulnerability makes it easier for malicious actors to bypass Windows protections and exploit vulnerabilities in third-party applications, such as web browsers and Adobe Reader, to compromise the underlying system in a multi-stage attack.

“Microsoft places many Windows mitigations against exploits, for instance the randomization of memory (ASLR) and preventing data from running in memory (DEP). Since the memory page is at a constant predictable address, the attacker can know where to write and run the code,” enSilo explained in a blog post. “With the memory allocation set to RWX, that code can be executed, essentially defeating those hurdles that Windows placed in front of threat actors.”

The company believes the issue is not limited to security solutions — it can affect any intrusive application, including performance monitoring and data leak prevention (DLP) solutions.

AVG addressed the vulnerability in March, within two days of disclosure. Intel Security said it released a patch on August 26.

“Intel Security takes the integrity of our products very seriously. Upon learning of this particular issue, we quickly evaluated the researchers’ claims and took action to develop and distribute a solution addressing it,” Intel Security told SecurityWeek. “This solution was distributed to customers in a patch on August 26, 2015. We reached out to enSilo with this information on Friday as it appears they are unaware that the issue detailed in their blog has been solved for a number of months at this point.”

Advertisement. Scroll to continue reading.

Kaspersky Lab, which assigned the vulnerability a CVSS score of only 1.9, said it resolved the flaw with an auto-updated patch released on September 22.

“Kaspersky Lab would like to confirm that in September, enSilo reported a vulnerability to Kaspersky Lab in a responsible manner. The vulnerability has been fixed as fast as possible in our efforts to provide a reliable, high-quality, real-time protection to our customers,” Vyacheslav Zakorzhevsky, Head of Anti-Malware Research Team at Kaspersky Lab, said in an emailed statement.

“The detailed information about the vulnerability was published on our technical support page. Kaspersky Lab would like to thank enSilo for their responsible attitude to our business. We always value the efforts of independent researchers that allow us to make our products better and offer better protection for our customers,” Zakorzhevsky added.

enSilo pointed out that Tavis Ormandy from Google’s Project Zero demonstrated in September how a similar vulnerability affecting Kaspersky products could have been exploited.

“These types of vulnerabilities clearly demonstrate the problems in the security ecosystem. On the one hand, Microsoft invests loads of resources in defenses, mitigations and enhancements to strengthen its system against compromise. On the other hand, there’ll always be some oversight in applications. Unfortunately, it’s precisely vulnerable third party applications which can lead to the compromise of these same defenses,” enSilo said.

The company has developed a tool that allows users to determine if a vulnerable application is present on their system. The tool doesn’t pinpoint the vulnerable application, but it provides information on where to start the analysis.

*Updated with statement from Intel Security

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.