A serious vulnerability found in several security products could have been exploited by malicious actors to bypass Windows protection features, data exfiltration prevention firm enSilo reported.
Researchers discovered the vulnerability in March when an enSilo product collided with an AVG Internet Security 2015 installation present on a customer’s systems. A closer analysis revealed that the AVG product had been plagued by a flaw that could have been exploited to hack affected systems.
enSilo later discovered that the same vulnerability, which it rated “critical,” also affected Kaspersky’s Anti-Virus 2015 MR2 and Internet Security 2015 MR2 products, and Intel Security’s McAfee VirusScan Enterprise version 8.8.
According to enSilo, the problem is related to how affected security products allocate a memory page with RWX (Read, Write, Execute) permissions at a constant predictable address. Experts say the vulnerability makes it easier for malicious actors to bypass Windows protections and exploit vulnerabilities in third-party applications, such as web browsers and Adobe Reader, to compromise the underlying system in a multi-stage attack.
“Microsoft places many Windows mitigations against exploits, for instance the randomization of memory (ASLR) and preventing data from running in memory (DEP). Since the memory page is at a constant predictable address, the attacker can know where to write and run the code,” enSilo explained in a blog post. “With the memory allocation set to RWX, that code can be executed, essentially defeating those hurdles that Windows placed in front of threat actors.”
The company believes the issue is not limited to security solutions — it can affect any intrusive application, including performance monitoring and data leak prevention (DLP) solutions.
AVG addressed the vulnerability in March, within two days of disclosure. Intel Security said it released a patch on August 26.
“Intel Security takes the integrity of our products very seriously. Upon learning of this particular issue, we quickly evaluated the researchers’ claims and took action to develop and distribute a solution addressing it,” Intel Security told SecurityWeek. “This solution was distributed to customers in a patch on August 26, 2015. We reached out to enSilo with this information on Friday as it appears they are unaware that the issue detailed in their blog has been solved for a number of months at this point.”
Kaspersky Lab, which assigned the vulnerability a CVSS score of only 1.9, said it resolved the flaw with an auto-updated patch released on September 22.
“Kaspersky Lab would like to confirm that in September, enSilo reported a vulnerability to Kaspersky Lab in a responsible manner. The vulnerability has been fixed as fast as possible in our efforts to provide a reliable, high-quality, real-time protection to our customers,” Vyacheslav Zakorzhevsky, Head of Anti-Malware Research Team at Kaspersky Lab, said in an emailed statement.
“The detailed information about the vulnerability was published on our technical support page. Kaspersky Lab would like to thank enSilo for their responsible attitude to our business. We always value the efforts of independent researchers that allow us to make our products better and offer better protection for our customers,” Zakorzhevsky added.
enSilo pointed out that Tavis Ormandy from Google’s Project Zero demonstrated in September how a similar vulnerability affecting Kaspersky products could have been exploited.
“These types of vulnerabilities clearly demonstrate the problems in the security ecosystem. On the one hand, Microsoft invests loads of resources in defenses, mitigations and enhancements to strengthen its system against compromise. On the other hand, there’ll always be some oversight in applications. Unfortunately, it’s precisely vulnerable third party applications which can lead to the compromise of these same defenses,” enSilo said.
The company has developed a tool that allows users to determine if a vulnerable application is present on their system. The tool doesn’t pinpoint the vulnerable application, but it provides information on where to start the analysis.
*Updated with statement from Intel Security