Anti-virus Software Could Make You Less Secure Because Vendors Are Ignoring Security Best Practices


Yael Grauer, Contributor

September 28, 2015

Photographer: Alexander Zemlianichenko Jr./Bloomberg

We’ve written before about how antivirus software is not only resource-intensive but in some cases can make you less secure because it can be hacked itself. Now there’s new evidence that Kaspersky Lab’s antivirus software contains bugs which could be remotely exploited in targeted attacks, as Thomas Fox-Brewster reported yesterday. Some of these bugs are detailed in a blog post written by information security engineer Tavis Ormandy, a member of Google’s Project Zero vulnerability research team.

Although Kaspersky Lab told Ars in a statement that all of the vulnerabilities that were publicly disclosed in Ormandy’s blog post were fixed, some bugs have not been disclosed since the fixes are not yet available.

In addition, Ormandy tweeted that he hasn’t finished auditing Kaspersky yet and is still filing new bugs. “I’ll make another blog post on more remote code execution vulns in Kaspersky as the fixes are released,” he tweeted on September 22nd. “The patches for the remote network attacks I had planned to discuss here were delayed, and so I’ll talk about them in a second post on this topic once the fixes are live,” he further wrote in his original blog post.

See also: Most Americans Support Government Backdoors, Even Though They Know The Risks

Loads of Kaspersky bugs found by @taviso. Examples:

— Joxean Koret (@matalaz) September 22, 2015

One vulnerability Ormandy found could have been prevented if Kaspersky had enabled /GS, a best practice that prevents some buffer overflows, which are a frequent attack vector. Interestingly, /GS has actually been enabled by default for many years, so it’s unclear why Kaspersky would not have it enabled. An informational page by Microsoft recommends disabling it “if you expect your application to have no security exposure,” which doesn’t seem to fit the bill for anti-virus software.

See also: When It Comes To Encryption, Our Policy Makers Could Learn A Thing Or Two From Thomas Jefferson

“In [the] future, we would like to see antivirus unpackers, emulators and parsers sandboxed, not run with SYSTEM privileges,” Ormandy wrote. Because Kaspersky did not run their unpacker in a sandbox, vulnerabilities in their unpackers led to full compromise.

Kaspersky Lab is hardly alone. Critical vulnerabilities have previously been found in Sophos Antivirus, Microsoft anti-malware products, FireEye technology, ESET security products, and other anti-virus engines.

As of press time, Kaspersky Lab did not respond to request for comment.

Five Online Security Measures You’re Probably Doing Wrong

This article was written by Yael Grauer from Forbes and was legally licensed through the NewsCred publisher network.

Great ! Thanks for your subscription !

You will soon receive the first Content Loop Newsletter