SafeBreach discloses vulnerabilities in Avast, AVG, Avira

If you’re one of the 500 million or so people using Avast, AVG, or Avira antivirus, newly revealed vulnerabilities—and exploits affecting them—should prompt you to upgrade to the latest version.

The vulnerabilities and exploits were revealed by computer security company SafeBreach on Monday. They were initially reported to Avira on July 22 and Avast on August 16, and are being publicly detailed for the first time because of SafeBreach’s responsible-disclosure process. Both companies issued software patches in September.

Exploiting the vulnerabilities in Avast and AVG’s antivirus products, which are made by Avast Security following a 2016 acquisition, as well as in Avira’s Launcher and Software Updater, requires a hacker to have administrator privileges. Once attained, a hacker can run malicious software in a “persistent” manner because the security software will reload it each time the antivirus is restarted, says Peleg Hadar, security researcher at SafeBreach.



READ MORE ON ANTIVIRUS SECURITY

How antivirus software could be used for government espionage
Even North Korea has an antivirus program—but it’s used for spying
Despite new risks, experts still recommend using antivirus software


“This vulnerability provides the attacker the ability to run its own malicious code within the signed process context, making it look like the signed process executed the malicious code. This way, security products can trust it, because it’s signed, and not block it,” Hadar said in an email to The Parallax.

Multiple security researchers who spoke with The Parallax on background said the vulnerabilities, as documented by SafeBreach, are a “novel” way for hackers to hide their tracks and should be considered a “medium”-level risk only because it can be difficult (although not impossible) for a hacker to gain administrator rights on a target’s computer.

The attack relies on the ability to run or change software on Windows by running a DLL file, a small piece of software that tells other software how to perform its tasks. Avira and Avast representatives confirmed in emailed statements that the companies have patched their software, though neither company responded to questions regarding how many users are running the latest software. The patch has been applied in Avast and AVG antivirus software versions 19.8 and newer, and in Avira Launcher 1.2.137 and newer.

“It is worth noting,” an Avast representative stated, “the attack in question requires any bad actor to have administrator privileges on the target machine. Anyone who has such access already controls the machine and could corrupt the system in many ways. For this reason, we always recommended using a non-privileged account for everyday use of any machine.”

The SafeBreach disclosures accompany a report from Avast revealing a new attack against its CCleaner software on Monday, October 21, following a 2017 hack.

These vulnerabilities are just the latest in antivirus software documented by SafeBreach, which has publicly documented six vulnerabilities in security software since June, including software made by Dell, Trend Micro, BitDefender, Check Point, Forcepoint, and HP. While all software will suffer vulnerabilities and breaches, these latest vulnerabilities are part of a larger call to question what steps antivirus software vendors are taking to secure their products, especially given the deep hooks they have into computer systems. Antivirus software often is designed to start running before many other software do, in order to protect the system from attack.

Over the past several years, antivirus software has come under increasing scrutiny for providing hackers with another way to access a computer, says researcher Xavier de Carné de Carnavalet, who holds a Ph.D. in information and systems engineering from Concordia University in Montreal. He is critical of the inability of modern antivirus programs to react fast enough to hackers who create many variants of a single malware program to evade detection even by malware behavioral detection systems.

“The malware released last month or last year is not as dangerous as the one released in the past few minutes,” de Carné de Carnavalet says. “When you install an antivirus, it can introduce critical vulnerabilities that can be exploited, although it does bring benefits to you such as stopping malware.”

While The New York Times’ Wirecutter tech reviews service recommends that Windows and Mac owners use the protections that come preinstalled on those computers, bolstered by Malwarebytes, de Carné de Carnavalet says nothing beats using best practices and better computer hygiene: patches, passwords, and layers of security.

“The first barrier is to keep everything up-to-date. Then, in terms of online safety, it’s more about the education of users. Choosing proper passwords, using two-factor authentication, and using a password manager,” he says.

Update, October 22 at 2:25 p.m. PST, with a statement from Avast.