Is your antivirus vulnerable?
AV Vulnerability Checker is a free program for Windows that determines whether antivirus software installed on the computer is vulnerable to exploitable constant Read-Write-Execute (RWX) addresses.
Vulnerabilities are bad, regardless whether they are found in the operating system or programs running on it. One of the worst kind affects security software, programs that are designed to protect the system from attacks.
Ensilo, the company behind the product of the same name that “offers a real-time exfiltration prevention platform against advanced targeted attacks”, revealed the security vulnerability that is affecting various antivirus products in a recent blog post.
It discovered the vulnerability while investigation a collision of the company’s own enSilo product with AVG antivirus software.
Vulnerable anti-virus solutions “allocate a memory page with Read, Write, Execute permissions at a constant predictable address” and for various user-mode processes including those of web browsers or Adobe Reader.
The vulnerability enables attackers to bypass certain Windows mitigations against exploits, for instance ASLR or DEP since the attacker knows where to write and run code.
The company found the vulnerability in several antivirus products including McAfee Virus Scan for Enterprise version 8.8, Kaspersky Total Security 2015 and AVG Internet Security 2015.
Both AVG and McAfee appear to have fixed the issue in recent updates already.
Ensilo released a program for Windows that tests other antivirus solutions for the vulnerability. The tool is available on Github.
Click on download on Github and download the archive to the local system.
Extract the archive afterwards to a local directory.
The program tests the vulnerability using web browsers on the system. For it to work, you need to have a web browser open, and close it when the program requests you to do it.
Then you need to restart the web browser and open at least two new tabs in it. The program will then check whether the vulnerability can be exploited on the system.
Any memory region that exists in both scans is likely predictable and the program indicates this by listing those addresses and processes.
What it won’t do is reveal the security solution that is vulnerable to the attack. The researchers suggest that you use a debugger to find that out, but if that sounds too complicated, you may want to disable security software instead and re-run the tests to find the culprit or culprits this way.
If you find out that a product that you run is vulnerable, there is little that you can do about it. After making sure that it is up to date, you may inform the developer of the program about the vulnerability.