Antivirus software is basically software designed to defend your PC from malicious attacks. Though this ‘firewall’ is supposed to be robust, it seems that some of these security apps are suffering from a vulnerability dubbed as AVGater.
Even though Microsoft is offering a more advanced security product in the name of Windows Defender, users are still considering third-party antivirus solutions to block malware from vulnerable computers. And now the table seems to have turned around — installing an antivirus protection can be a double-edged sword for users as a security vulnerability in such software can allow cybercriminals to abuse options to restore files from quarantine and then deploy malware and infect a machine.
The flaw in question was discovered by security researcher Florian Bogner. A new type of vulnerability has been spotted in the engine of several antivirus products, which makes it possible for attackers to deploy a quarantined file infected with malware to a sensitive location on the local drives.
Basically, the antivirus software quarantines a malicious file as it appears on the user’s PC, but the exploit allows an attacker to manipulate the restore process from quarantine, effectively letting the malware back onto the system. It can subsequently wreak its own particular havoc.
“AVGater can be used to restore a previously quarantined file to any file system location. This is possible as the restoration process is most often carried out by the privileged AV Windows user mode service. Therefore, file system ACLs can be circumvented,” Bogner said.
This type of issue is called ‘privileged file write vulnerability’ and can be used to place malicious DLLs anywhere on the operating system. The main aim behind this is to sideload this library for legitimate Windows servers by abusing the DLL Search Order, he added.
However, before you freak out, the good news is that the hacking process can’t be executed online; rather the attacker must be physically present at the victim’s PC. So this isn’t going to be much of a threat – unless users let strangers invade into their house to use the PC for a quick bit of net surfing.
Not every antivirus product is affected, here is a list of a number of affected parties who have already released a fix for their AV software: Emsisoft, Ikarus, Kaspersky, Malwarebytes, Trend Micro, and ZoneAlarm.
For now, this is just a wake-up call for all PC users that antivirus apps can suffer from vulnerabilities, just as with any piece of software. Therefore, it is advised to be cautious before checking in to any website.