Security software can considerably increase exposure to targeted attacks, according to Google information security engineer Tavis Ormandy.
Ormandy and other Google Project Zero researchers have been working on improving the software testing method known as fuzzing in an effort to make the process of identifying security issues more efficient. The expert has been applying some of the techniques to antiviruses and earlier this month he reported finding many serious vulnerabilities in Kaspersky products, including a critical buffer overflow that was quickly patched by the security firm.
In the past, the expert also identified serious security holes in products from ESET and Sophos, and in the future he plans on analyzing solutions from other vendors as well.
In a blog post published on Wednesday, Ormandy detailed some of the vulnerabilities found in Kaspersky products and pointed out that such security holes can pose a serious risk to users since they dramatically increase exposure to targeted attacks.
“For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software,” the Google security engineer explained. “Ignoring the question of efficacy, attempting to reduce one’s exposure to opportunistic malware should not result in an increased exposure to targeted attacks.”
Ormandy believes that antivirus vendors should seriously consider sandboxing unpackers, emulators and parsers, and not run them with system privileges. One solution would be the open source Chromium sandbox.
Ormandy claims to have reported dozens of vulnerabilities to Kaspersky Lab, some of which have yet to be fixed.
According to the expert, the vulnerabilities found in Kaspersky products affect features such as network intrusion detection, SSL interception, and file scanning to browser integration. Ormandy says many of the critical vulnerabilities he reported to Kaspersky could have been easily exploited to attack users and compromise their systems.
“Because antivirus products typically intercept filesystem and network traffic, simply visiting a website or receiving an email is sufficient for exploitation. It is not necessary to open or read the email, as the filesystem I/O from receiving the email is sufficient to trigger the exploitable condition,” Ormandy said about one of the issues.
The security company has assured customers that the flaws publicly disclosed by the Google security engineer have been patched in all affected products. Furthermore, the company says it hasn’t found any evidence to suggest that the vulnerabilities have been exploited in the wild, and highlighted the fact that Ormandy’s efforts and findings were backed by the computing power of Google Project Zero.
“The flaws discovered in the code of Kaspersky Lab products led to the incorrect parsing of malformed files in the following formats: DEX, VB6, CHM, ExeCryptor, PE, ‘Yoda’s Protector’, and some other malicious files, which resulted in integer and buffer overflows,” Kaspersky Lab told SecurityWeek. “The first fix was delivered to our clients via automatic database updates within 24 hours of the company becoming aware of the issue; the latest fix for these vulnerabilities was delivered on 13 September 2015. Additionally, we have implemented stack buffer overflow protection (referred to as ‘/GS’ by the researcher) for container extraction, delivering the fix to our customers by 15 September 2015.”
“To further improve the resilience of our products we are taking active measures to mitigate the risks of exploiting the inherent imperfections of software. For instance, we already use such technologies as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP), and plan to expand their usage in future,” the company added.
Ormandy says he is not done auditing Kaspersky products.
Learn More About Fuzzing at the 2015 ICS Cyber Security Conference