Anti-Virus Software now with Security Flaw
We use anti-virus software for keeping us protected from malicious programs of all kinds lurking online; however, deceitful cyber-criminals have been found using such software to obtain their sinister objectives. This is so when they misuse AV programs' "retrieve from quarantine" option which has been the case with several anti-viruses lately.
The vulnerability, which Florian Bogner security auditor from Austria uncovered, is named AVGater. Using this loophole leads to relocation of a malicious program from the folder of 'anti-virus quarantine' into some vulnerable place on the victim's PC.
Attached to Kapsch, Bogner claims to have notified all anti-virus suppliers whose products had the flaw. A few vendors subsequently prepared and released the updates which take care of the problem. These vendors are Kaspersky, Ikarus, Emisoft, ZoneAlarm, Trend Micro and Malwarebytes. Techspot.com posted this, November 13, 2017.
Although over intervals of time, we come across such exploits, it doesn't mean end-users shouldn't load anti-virus solutions since they continue to be an extremely good means of maintaining safety of computers against malicious software and other problems.
Incidentally, the described kind of attack poses risk to industrial computers in the maximum possible way. Hence, to provide a most uncomplicated plug-in to the loophole Bogner suggests deactivating "restore from quarantine" option for industrial computers.
In a penetration testing, Bogner used one typical phishing e-mail methodology involving malware to infect clients' computers. The anti-virus software, as expected, quarantines the malware, and so he abuses the loophole within the software which lets disadvantaged end-users retrieve the quarantined or simply said isolated file. Bogner then meddles with the 'NTFS file junction point' feature in Windows computer that lets him transfer the quarantined malicious program onto some privileged directory he chooses like some folder inside C:\Windows or C:\Program Files. This same technique also exploits the search order facility namely Dynamic Link Library that lets the malware be executed with full advantages.
Since AVGater can be used only if attackers can physically access a PC, Bogner suggests users towards maintaining their anti-virus software updated to ward off the vulnerability's impact, and for industrial PCs, towards disabling the option of "retrieve from quarantine."
» SPAMfighter News - 20-11-2017