New Antivirus Vulnerability Could Help Malware Spread

This is why I have trust issues: A newly discovered vulnerability in antivirus software could be used to infiltrate victims’ computers. The exploit, dubbed AVGater by its researcher Florian Bogner, has already been patched by the most powerful antivirus providers, including Trend Micro, but users who have failed to install the latest updates likely remain vulnerable to attack. To keep your devices safe, here’s what you need to know about AVGater and antivirus protection.

What AVGater Allows

Before you can truly understand how AVGater makes your devices insecure, you should know a little about how antivirus software functions. From the unprivileged user’s point-of-view, there are three access domains, each of which perform different duties:

1. User interface, which displays the system state, virus warnings, and settings,
2. Privileged user or SYSTEM mode, which quarantines viruses, monitors file access, and updates the app, and
3. Kernel component, which performs scanning, remediation, rootkit detection, and similar security actions.

A typical unprivileged user can do almost nothing to affect the software because they only have access to the user interface. However, if an unprivileged user could alter or cross the boundaries of these channel, they could wreak all sorts of havoc. Unfortunately, AVGater does just that by manipulating a process called “restore from quarantine.”

The AVGater exploit gives attackers the ability to restore quarantined files, an action typically reserved for privileged users. Using the vulnerability, an attacker can move any previously quarantined file to any location on the filesystem. This provides a window through which attackers can place malicious code on victims’ computers, gaining access to vital processes and information. With the help of this vulnerability, its easy to imagine a complete attack:

1. An attacker moves a malicious library into an antivirus program’s quarantine.
2. The attacker uses AVGater to redirect the source path to another destination, most likely within C:/Program Files or Windows, which contain many executable files and often prevent users from writing in normal conditions.
3. The malicious library is loaded by another privileged process — i.e., executed — and the attacker gains complete control over the affected device.

There is one serious problem that makes AVGater an unlikely vector for widespread attack: Attackers must be present, with physical access to their target machine, to use the vulnerability. Still, if left unpatched, this exploit could be a significant problem for shared computer environments, especially if their physical security isn’t strong. Disgruntled employees or confidence tricksters could easily gain control of enterprise systems and cause mayhem — but they can just as easily be stopped.

Why Antivirus Still Matters

Though AVGater is startling, it isn’t necessarily new. To be frank, exploits like this one appear in almost all programs, including antivirus software, but it has only been recently that attention is paid to their discovery and remedy. All software updates address weaknesses; that this one is significant and ironic makes it newsworthy.

AVGater and vulnerabilities like it are patched almost as soon as they are identified — or at least as soon as they become popular news stories. Already, every major antivirus software provider has created and distributed effective solutions to AVGater, which means if your antivirus program is trustworthy (and updated regularly) you should be safe by now. Users of shared computer environments can take extra precautions by disabling the “restore from quarantine” feature in their antivirus programs, but with the appropriate patches in place, computers hardly benefit from this action.

Antivirus software does significantly more good than harm. Even if AVGater remained at large, it would hardly tip the scales. Antivirus programs constantly look for dangerous files, which most often make their way onto devices without attackers’ physical presence. Through real-time scans, boot-time scans, and individual, on-demand scans, antivirus software identifies potentially harmful code and eliminates it. Additionally, antivirus protection provides defenses for your sensitive data, so you are at a lower risk for identity theft or payment fraud.

If you don’t already have antivirus software, AVGater is not a viable reason to delay. If you do have antivirus software from a provider on this list

1. Kaspersky Lab
2. Malwarebytes
3. Ikarus Security Software
4. ZoneAlarm by Check Point
5. Emsisoft
6. Trend Micro

You should download and install any available updates immediately. The chances of AVGater affecting you are low — but that is no reason to maintain a cyber weakness.