A large number of popular antivirus programs may have had or still have bugs that let attackers delete files, a new report has claimed.
Security researchers at Rack911 Labs found 28 well-known antivirus tools could have common vulnerabilities giving attackers the ability to delete files and prompt system crashes, allowing them to then install potentially damaging malware.
The report names antivirus programs including McAfee Endpoint Security, Microsoft Defender and Malwarebytes in its list of products that could have or have had bugs that could eventually result in malware installations.
- "Corona antivirus" infects victims with malware
- Box boosts malware detection to help remote workers
- Malware strains using coronavirus to avoid detection
Symlink race bugs
"In our testing across Windows, macOS & Linux, we were able to easily delete important files related to the antivirus software that rendered it ineffective and even delete key operating system files that would cause significant corruption requiring a full reinstall of the OS," the company said in a blog post (opens in new tab).
Known as "symlink races", these programs use symbolic links and directory junctions to link malicious files alongside legitimate ones when the antivirus software is scanning a file for malware and when it gets removed. According to Rack911, this tactic works both with security suites and platforms.
The researchers say the problem lies with the way most antivirus software operates in a privileged state within the system meaning it has the highest level of authority. Terming this as the fundamental flaw, Rack911 says file operations are performed at the highest level, which then opens the door to a wide range of security vulnerabilities and various race conditions.
The research team says while some vendors including AVG, F-Secure, McAfee and Symantec have fixed the bugs, a few antivirus clients continue to remain vulnerable. The symlink race condition bugs are some of the oldest and vilest to mitigate in applications and across operating systems.
Rack911 has further warned that this vulnerability could reduce the effectiveness of the antivirus software and make malware more effective for attackers who are aware of this bug.
- The best antivirus software for 2020