Is the software you’re using to prevent your computer from getting infected by malware actually making it more vulnerable? That question has been debated for decades, but new research into antivirus vulnerabilities makes it an important one to keep asking.
In a report it released this week, data security company EnSilo said the commercial software of a dozen antivirus and software vendors were vulnerable to at least one of six ways hackers could hook into the core of a computer’s operating system.
Hooking is a common technique used by a wide range of programs to intercept software signals. It can be used for protective purposes—Web browsers generally use hooking engines to load content while isolating potentially risky site content from the rest of the computer. Antivirus programs use hooking to test and identify potentially malicious software without putting the rest of your computer at risk—provided that they’re implemented properly. And because hooking techniques intrude on a software’s ability to function normally, they can also be used by malicious software to redirect and attack software.
Antivirus software, which protects your computer and phone against digital attacks, is among the most powerful commonly used software because of its ability to tap into the inner circle of your computer’s operating system. Such access gives security software the ability to work more efficiently than ever before to stop attacks before they can take gain a toehold, but it also means that security software vulnerabilities have the potential to cause severe harm to your computer and your data.
Although his company hasn’t seen the exploit his company reported used in an attack yet, Udi Yavo, co-founder and chief technology officer of EnSilo, describes it as “easy” to use.
“Last year, we found the vulnerability in AVG, but it was only the tip of the iceberg,” Yavo says. “We found it in Kaspersky and Trend Micro and many other companies.”
AVG patched the vulnerability in a timely manner, Yavo says, as did several other vendors, including Avast Software, which sponsors this site, BitDefender, Emsisoft, Kaspersky, Intel’s McAfee, Symantec, Webroot, and Citrix’s virtual computer desktop, XenDesktop.
EnSilo says antivirus vendor Trend Micro has reported that it will publish a patch to the vulnerability in August. And Vera Security spokeswoman Lynsey Rose, when reached for comment, said a patch is “in production.”
Rose also criticized EnSilo for recommending a move to Microsoft Detours, the most popular “hooking” software available, before discovering that Detours was also affected by the vulnerability. (Microsoft told EnSilo that it will be publishing a patch for Detours in August too, though it declined further comment.)
“Antivirus as a product, as it functions, is hard to do right and prone to security issues.” — Jon Oberheide, co-founder and chief technology officer, Duo Security
Since noticing major zero-day flaws in Sophos’ antivirus software in 2011, security researcher Tavis Ormandy, who works on Google’s Project Zero, has made efforts far more extensive than EnSilo’s into discovering antivirus vulnerabilities and pressuring affected software vendors to patch them.
“I’m trying to clean up some of the low-hanging fruit that is endangering billions of users worldwide,” Ormandy, who did not respond to requests for comment for this story, wrote in a blog post in March about a Comodo Antivirus vulnerability.
The work of Ormandy and other security researchers “is much appreciated and needed,” says Mikko Hypponen, a longtime malware hunter whose teams were instrumental in stopping the computer worms Sobig and Blaster. As chief research officer at Finnish antivirus and security company F-Secure, Hypponen says, “It’s quite clear that all companies working in the security field want to bring more security to their customers’ systems—not less.”
Ondrej Vlcek, Avast’s chief operating officer, says Ormandy’s style of critiquing the antivirus business is “theatrical” and “childish,” but he agrees that the antivirus industry benefits from having its dirty laundry aired in public, and he applauds how industry researchers are encouraging vendors to make changes.
“What [Ormandy] finds is often valuable,” says Vlcek, who has two decades of experience combating computer threats. “We take this stuff quite seriously. And the security benefits far outweigh the risks. There’s malware, ransomware, social-engineering threats.”
So is the existence of threats posed to antivirus software enough reason to abandon it? In a word: No.
“Running without an AV on a Windows or Mac platform is nonsensical,” Vlcek says. And, Hypponen adds, malware targeting holes in security software, which often includes a feature that quickly delivers updates to block new and spreading threats, is “just not very common.”
That’s not to say hackers won’t take aim at those holes, as the Witty computer worm did in 2004, nor that antivirus makers don’t face significant security challenges.
“Modern malware and modern viruses are catching up to nation-state level malicious code. Techniques that were once state-of-the-art are now well known,” says Barry Shteiman, director of research at security company Exabeam. Some advanced malware can now detect when it’s being tested in a virtual machine, he says.
Another challenge, says Jon Oberheide, co-founder and chief technology officer of Duo Security, is that what’s safe enough for people at home might not be at work. Large deployments of software containing the same vulnerability can make it easier to exploit and gain network access, he says.
“Antivirus as a product, as it functions, is hard to do right and prone to security issues,” says Oberheide, who investigated antivirus software security as part of his Ph.D. at the University of Michigan. Antivirus software “scans content, videos, and documents, and parsing them is an inherent challenge. There are ways to do it safely: You can sandbox the parsers, write them in languages that are safe. Security vendors know these are problems, but my perception is that there’s not sufficient motivation to fix them” because “sales are still strong.”
Ormandy’s March post reflected that sentiment: “I don’t think the antivirus industry is going to make even a token effort at resolving these issues, unless [its] hand is forced.”
Still, most of the antivirus vulnerabilities EnSilo identified were fixed within a week, according to statements The Parallax reviewed, signifying strong interest in addressing any known issues. And while he wouldn’t advise getting rid of one’s antivirus software, Oberheide says users still need to be cautious.
“One, don’t pay for it, and two, don’t rely on it,” Oberheide advises people considering antivirus programs. “You can’t throw out computer security best practices” such as downloading “a random email attachment.”