Parser Bugs in AV Software could Increase Attack Risk
European security researchers have recently demonstrated how host-based IDS/IPS tools and anti-virus software could be manipulated against their users.
Security Engineer Thierry Zoller for n.runs AG, a German security company, and Research Head Sergio Alvarez at n.runs over the year 2006 found a huge number of flaws in these security products. Some of the vulnerabilities, however, have received fixes from the concerned vendors.
The vulnerabilities lying in the 'parser engines' of the security products either allow attackers to implant their malware on the corporate network by evading IDS/IPS and AV devices, or view e-mail or send them from a company's server, and also create a backdoor on that server.
Alvarez and Zoller demonstrated their 'proof of concept' at the Luxembourg-hosted HackLu2007 conference in October 2007. According to Zoller, the problem lies in the parser flaws that cause a multi-layered protection and 'defense in depth' mechanism to hit back on the organization's network running the security tools.
Zoller, along with Alvarez, has been probing this issue over the year 2005-06 after which they detected 80 parser holes in different anti-virus products, a majority of which are still un-patched.
According to the researchers, organizations think that they have the 'defense in depth' strategy in place, but actually it isn't there. In fact, by placing layers of AV engines, they are increasing the possibility of an attack. Darkreading reported this in the third week of November 2007.
The loopholes make impact on all major anti-virus providers and a number of them have the potential to let unauthorized execution of code on a compromised computer, Zoller said, as reported by PC World on November 25, 2007.
Zoller explained that it is incorrect to think that putting layers of AV engines ensures defense in depth. For, in reality, since all AV software have flaws, the worm manages to pass through all of them, increasing the attack surface.
With the history of attackers exploiting parsing flaws in browsers over years now and also gaining success at times, Zoller is sure that since AV programs are used everywhere, these parsing bugs could usher in even serious problems sooner or later.
Related article: Programmable Malware Hits Specific Databases
» SPAMfighter News - 06-12-2007