Major Antivirus Flaw Deletes Files, Corrupts Windows

A security company says it found a simple way to turn antivirus software into a weapon for attackers. Most major manufacturers have now fixed the problem, but it's a reminder to keep such software updated.

The discovery by Rack911 Labs effectively meant that a hacker could force the antivirus software to delete files on a computer. That would mean the hacker would need to have gained access to a computer first - whether internally on a network, or remotely using malware.

The exploit is based on one of the most fundamental actions of any antivirus software: they scan files, check if they are a threat, and then either move them to a "quarantine" location or outright delete them. For this to work, the antivirus software needs administrator access, the highest level of access to a computer.

Deletion Instructions Corrupted

The problem comes in the split second between antivirus software issuing the decision to delete or move a file and the computer doing so.

The exploit involves what's effectively a race by the attacker to jump in during this split second and use one of two methods to force the computer to mix up a legitimate instruction with a bogus one. (Source: engadget.com)

One option is using a directory junction, where Windows creates a link between two directories. This doesn't require administrator privileges.

The other option works on any PC operating system, but normally requires privileged access. It's called a symlink (short for symbolic link) and involves creating a new file which simply acts as a shortcut to an existing file. With both options, an attacker could effectively alter the instruction of which files to delete.

Rack911 Labs staff were able to use these methods to trick the computer into deleting key files in either the antivirus software or Windows itself. The former would stop the antivirus software from working while the latter could corrupt Windows to the point a fresh installation was needed.

Major Manufacturers Affected

The researchers say they were able to exploit the problem in more than 20 leading antivirus packages including those from major names like AVG, Kaspersy, Malwarebytes and Sophos. They say the process itself was "trivial" to carry out and the only real challenge was in getting the timing right. (Source: rack911labs.com)

The good news is that the researchers kept their findings secret for a long time, other than telling antivirus manufacturers starting in late 2018. They say the are going public now as every antivirus vendor they've spoken to has had at least six months to fix the problem.

Most have now issued updates to fix the problem or are expected to do so imminently. However, it's possible some lesser-known security software could still be vulnerable.

What's Your Opinion?

Were the researchers right to keep this from the public for well over a year? Are you surprised that almost all leading software could suffer the same vulnerability? Is it worth worrying about such threats or is there only so much a user can do?