Error and security flaw in Windows 10 antivirus: DACL and privileges

Researchers from CyberArk Labs have warned of the existence of very critical vulnerabilities in antivirus that enables an attacker to raise privileges and introduce and keep malware on a pc, bypassing all safety mechanisms. The antivirus is normally one of many parts that has essentially the most privileges on a pc, the place we can not even shut them from the Task Manager. Therefore, discovering a vulnerability in them is essentially the most harmful factor that may occur on a pc.

Windows Defender, amongst these affected

The bug impacts essentially the most used antivirus available on the market. The checklist is as follows, with the corresponding vulnerability quantity that has affected every of them.

  • Kaspersky Security Center: CVE-2020-25043, CVE-2020-25044, CVE-2020-25045
  • McAfee Endpoint Security and McAfee Total Protection: CVE-2020-7250, CVE-2020-7310
  • Symantec Norton Power Eraser: CVE-2019-1954
  • Fortinet FortiClient: CVE-2020-9290
  • Check Point ZoneAlarm and Check Point Endpoint Security: CVE-2019-8452
  • Trend Micro HouseCall for Home Networks: CVE-2019-19688, CVE-2019-19689, and three different unassigned vulnerabilities.
  • Avira: CVE-2020-13903
  • Microsoft Defender: CVE-2019-1161

Of all of the vulnerabilities found, maybe an important is the one that enables an attacker to delete information from anyplace on the pc. The origin of the failure is the Discretionary Access Control Lists (DACL) and the folder ProgramData, which is utilized by functions to retailer customary person knowledge with out requiring permissions. However, because the person has permissions to write down and delete in the listing, when a non-privileged course of creates a folder in ProgramData, that folder can later be utilized by a course of that does have the privileges.

Thus, an attacker may run two processes: one with privileges and one with out them that share the identical log file in ProgramData. By doing so, the privileged course of may very well be used to take away the ProgramData file and create a symbolic hyperlink that may redirect to anyplace the attacker has the file with malicious content material.

The bugs are actually fastened

CyberArk additionally tried creating a brand new folder in ProgramData earlier than the privileged course of runs underneath the identify McAfee. If the folder is created by the person earlier than putting in the antivirus, then the usual person with out permissions has full management of the listing, having the ability to elevate privileges. To this we should add that different antivirus corresponding to Trend Micro or Fortinet may very well be hacked if a malicious DLL was launched in the ProgramData folder and elevated privileges.

Luckily, all these bugs have already been fastened, however from CyberArk they state that antivirus have to vary many issues at a fundamental degree to forestall such a assault from being reproduced in the longer term, corresponding to utilizing LoadLibraryEx to forestall malicious DLLs from being executed, use new installers and Microsoft MSI format, and ask permission for every folder creation in ProgramData.