A common security bug affected the antivirus engines of three major vendors, AVG, McAfee, and Kaspersky, as enSilo security researchers have discovered.
The problem was first detected back in March 2015, when one of enSilo's own products collided with an AVG antivirus on one of its client's workstations.
After further investigation into the matter, enSilo's staff uncovered a security bug in the AVG antivirus as being the cause of the software incompatibility. No ASLR in your antivirus, no security for you! The security bug relates to the fact that the AVG antivirus creates a memory space with full RWX (read-write-execute) privileges where it normally runs. For that particular version of the AVG antivirus, this memory space was not randomized and was often shared with other applications, like, for example, Acrobat Reader or the enSilo product that collided with the antivirus.
If an attacker knew about the antivirus' predictable behavior and where this address space was, they could force their malicious code to execute inside that memory address and have the same privileges as the antivirus process (which is system-level). Attackers would be allowed to bypass Windows built-in security features by leveraging the antivirus itself.
Antivirus makers rolled out silent updates to fix the issue
enSilo notified AVG employees, who, to their credit, fixed the issue in less than two days after being notified. Since the bug was dangerous and a common design error on the part of many software programmers, later, the enSilo team decided to create a custom tool that would test other antivirus solutions for this very same bug. The company's investigation revealed that antivirus products like Intel Security's McAfee Virus Scan Enterprise version 8.8 and Kaspersky Total Security 2015 - 15.x were also vulnerable to the same bug.
enSilo notified each company, who silently released patches, McAfee in late August, and Kaspersky in late September. "Intel Security takes the integrity of our products very seriously. Upon learning of this particular issue, we quickly evaluated the researchers' claims and took action to develop and distribute a solution addressing it," an Intel Security representative told. "This solution was distributed to customers in a patch on August 26, 2015. We reached out to enSilo with this information on Friday as it appears they are unaware that the issue detailed in their blog has been solved for a number of months at this point."
110 Reykjavik, Iceland