Skip to main content

Security flaw in Bitdefender Antivirus Free 2020 leaves millions at risk

(Image credit: Shutterstock)

A critical security flaw has been found in Bitdefender Antivirus Free 2020 by security researchers from SafeBreach which could allow hackers to gain complete control over a user's computer.

The vulnerability was discovered by the company's Peleg Hadar who explained to Forbes why he decided to look for flaws in antivirus software, saying:

"I’ve picked this particular software mainly because it’s a popular one which is probably used by many users, so this kind of vulnerability has a big impact. In my opinion, it’s very important to fix these kinds of issues so people will be more secure." 

The vulnerability in Bitdefender Antivirus Free 2020 is so critical because the dynamic link library (DLL) loaded into memory by the software does not have protections in place to ensure that it is actually from the company. This means that hackers could create their own DLL and inject into the software using a cyber exploit known as DLL hijacking.

To make matters worse, BitDefender's antivirus software loads the DLL every time it is restarted so if malicious code was injected into the software, it would be persistent and almost impossible to track.

Privilege escalation flaw

Hadar provided further details on the security flaw he found in Bitdefender Antivirus Free 2020 in a blog post, saying:

“The vulnerability gives attackers the ability to load and execute malicious payloads using a signed service. This ability might be abused by an attacker, for example to achieve Application Whitelisting Bypass for purposes such as execution and evasion.”

Once an attacker gains access to a user's system by exploiting the flaw in Bitdefender's software, they could use the service to operate as an admin, giving them access to almost every file and process stored on the device.

Thankfully, the flaw only affects the free version of the company's antivirus and it has published a security advisory with more details on the vulnerability. Bitdefender has also issued a patch to correct the flaw.

Via Forbes