RACE911 Labs, the division specializing in proactively identifying security vulnerabilities of the IT systems of the Linux server management and administration company RACE911, has developed and publicly described a unique but simple method to use junction of
How do cybersecurity experts from RACE911 Labs put it down does some effect: antivirus software should protect us from dangerous cyber threats, but what if such protection can be silently disabled before a threat is neutralized?
What if such protection could be manipulated to perform certain operations on files that would allow the operating system to be compromised or simply rendered unusable by a malicious user?
A malicious local user or malware author, according to tests conducted by RACE911 Labs, may be able to run a race condition (a running condition is a critical problem that occurs when two or more processes access to
The public announcement of this possible exploit is now, but its discovery has taken place for some time. RACK911 Labs announced that it started informing vendors in autumn 2018 and reported security vulnerabilities that affect all known antivirus manufacturers on all major platforms. In addition, researchers believe that there can be even more products, among the less known, vulnerable to such attacks.
Now in spring 2020, says RACE911 Labs, every contacted antivirus provider had at least 6 months to correct security vulnerabilities, and researchers felt that the right time had come to bring the study to the public.
The antiviruses found vulnerable in the tests, listed by RACE911 Labs, are the following:
For Windows: Avast Free Anti-Virus, Avira Free Anti-Virus, BitDefender GravityZone, Comodo Endpoint Security, F-Secure Computer Protection, FireEye Endpoint Security, Intercept X
For macOS: BitDefender Total Security, Eset Cyber Security, Kaspersky Internet Security, McAfee Total Protection, Microsoft Defender (BETA), Norton Security, Sophos Home, Webroot Secure Any
For Linux: BitDefender GravityZone, Comfortable Endpoint Security, Eset File Server Security, F-Secure Linux Security, Kaspersy Endpoint Security, McAfee Endpoint Securit
Almost all antivirus providers mentioned by RACE911 Labs, add cybersecurity researchers, have already released corrective patches, with the exception of some, which will probably release their patches shortly. It is therefore important to keep your antivirus software up to date.
How antivirus l’exploit works
To explain this worrying scenario is RACE911 Labs. Most antivirus software works similarly: when an unknown file is saved on the hard drive, l’antivirus usually scans If the unknown file is deemed a suspicious threat, the file will automatically be quarantined and moved to a secure location pending further instructions from the user or will simply be deleted.
Given the nature of the antivirus software operation, almost all applications of this type are executed in a…privileged state, i.e. with the highest level of authorization within the operating system. Here, according to RACE911 Labs, there is a fundamental flaw, since the operations on the files are almost always performed at the highest level of privileges, which opens the doors to a wide range of security vulnerabilities and various conditions of competition.
What most antivirus software fails to consider, always according to the analysis of RACE911 Labs, is the small time window between scanning that detects the harmful file and cleaning operation that takes place immediately after.
A directory junction is exclusive to Windows and can only connect two directories: it cannot connect files and directories must be local to the file system. Directory Junctions can be run by any user and do not require admin privileges, which makes them perfect for the antivirus software exploit on the Windows operating system.
A symbolic link or symlink (from It is essentially a file pointing to another file. It is most commonly used in Linux and macOS, where any unprivileged user can run it. RACE9911 Labs notes that Windows also has symbolic links, however by default these cannot be run by a user unprivileged, normal, and therefore will not work in the exploiting of antivirus software
In tests conducted on Windows, macOS and Linux, RACK911 Labs announced that cybersecurity researchers have been able to easily delete important antivirus-related files, which made it possible to use the software to prevent viruses.
Moreover, it also emphasizes RACE911 Labs, exploiting these flaws has proved to be a rather trivial operation and experienced malware authors would have no problem in activating such tactics. The hardest part would be to figure out when to run the directory junction or symlink, since it takes a second too soon or too late for the exploit to no longer work.
However, a local malicious user trying to
In publishing and reporting vulnerability, RACE911 Labs also shared various proof of concept in both Windows, MacOS and Linux environments.