Light Dark
January 21, 2016 By Rick M Robinson 3 min read
Software Vulnerabilities

It sounds like a plot hook for a sci-fi thriller: Attackers take over security safeguards and then use the compromised guardians to break into facilities and engage in theft, sabotage or both. But according to some security researchers, this isn’t just a fictional Hollywood scenario. Popular antivirus software used by thousands of enterprises and millions of individual users is potentially vulnerable to attack.

Because these attacks take control of software intended for security protection, the attackers can bypass other protective measures, covering their tracks. They can even use the security tools to do further damage such as infecting other systems. Unlike many threat vectors, these attacks do not depend on end user shortcomings.

Antivirus Software Draws Intelligence Agency Interest

The good news, according to Lucian Constantin at InfoWorld, is that there is no direct evidence — so far — that antivirus solutions have been used in attacks. If such attacks have taken place, they were small in scale and avoided detection. But security researchers warned that such strikes are possible.

Both the U.S. National Security Agency (NSA) and British intelligence agencies are known to have examined popular commercial antivirus software packages to look for ways they could break into systems protected by these packages, The Intercept reported. It stands to reason that other international intelligence agencies, some with reputed ties to cybercrime groups, are also actively examining antivirus software for potential vulnerabilities.

The major cybersecurity firms that market these tools are well aware of the potential risks to and from their products. “Attacks on security researchers and security vendors could be a future trend in information security,” Vyacheslav Zakorzhevsky of Kaspersky Lab told InfoWorld. “However, we do not believe these will be widespread attacks.”

Sed Quis Custodiet Ipsos Custodes?

But who will guard the guards themselves? As this Latin proverb suggests, the security challenges of safeguarding protective systems are not new. In fact, they are inherent in the nature of security measures.

Security guards need passkeys, which means that one way for the bad guys to get hold of those keys is to steal them from a guard. In the same way, security software needs to have access to high-level permissions. In fact, most of the familiar Hollywood tricks for getting past the guards have their cyber equivalents, from simply taking out a guard (disabling the software) to dressing up in a guard uniform and issuing fake instructions (abusing the software’s system permissions).

This basic challenge is inherent to antivirus protections; because this software must examine a wide variety of incoming data and file types, and have multiple internal security components, the solutions have a large attack surface. They can be attacked in many ways at many points.

Protecting Against Attacks

Some security researchers questioned whether the whole idea of security based on endpoint protection, which is what antivirus software provides, is obsolete in the modern world of richly interconnected systems. Others may claim that much security software development is flawed because tools are not adequately sandboxed, or protected against unwanted outside interactions.

But it is not clear that sandboxing is practical for complex security packages. They might end up with so much self-protection that it would grind everything to a halt, making them unusable.

Other security researchers argued that antivirus software is just one layer of protection and perhaps more important to individuals and small businesses than to enterprises that have the resources — including human resources — to deploy other types of protective measures. For nearly all users, installing software updates and patches is the single most important security measure.

The fact is that antivirus software is indeed one layer of protection, not a complete security solution in itself. The security risks it poses are not peculiar to those tools but are inherent in any security system powerful enough to protect you. Effective security comes from being proactive, building in multiple levels of protection from the ground up and taking nothing for granted.

 |  |  | 
Rick M Robinson

More from Software Vulnerabilities
August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

August 2, 2023

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

March 30, 2023

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature