Jürgen Schmidt

Antivirus software as a malware gateway

Critical vulnerabilities have been found this year in virtually all antivirus products. But the danger of protective software, of all things, mutating into a gateway for pests is still largely underestimated.

Antivirus software is not only the most important protection against pests arriving from the Internet, it could also be one of the most dangerous gateways for attackers and their damaging software. Not only does it run on every desktop system, it's also present on many servers and is constantly processing potentially malicious files. So a security hole at this point could have catastrophic consequences.

In a presentation (PDF file) at Hack.lu 2007, Sergio Alvarez and Thierry Zoller criticized poor security precautions in antivirus software in particular. These two security specialists from n.runs know what they are talking about: in 2007 alone they published about thirty advisories on security problems in antivirus software, some of them critical. They allege that they notified some 800 problems to manufacturers.

Alvarez and Zoller see the central problem as the assumption by many people that security software, more or less by definition, is itself secure. This means that users, and even the makers of antivirus software, think the worst danger is a virus being overlooked by their product. The greater danger of antivirus software itself becoming a gateway for malware is completely disregarded by most of them. Zoller deplores the fact that hardly any firm has taken precautions against an attack scenario in which, for example, a pest enters via a security hole in the antivirus scanner and takes over the mail server. Andreas Marx from AV-Test confirms this: "Virtually no software maker seems to be paying really serious attention to the security of their own products."

The endless list of critical security problems that have been discovered in antivirus software in recent years is evidence that the problem is a real one. Many of these have actually made it possible to smuggle in code and execute it, by means of a specially prepared E-mail for example.

One outstanding source of vulnerability is the wide variety of formats that an antivirus scanner has to investigate and evaluate. Quite often age-old code is used which has not been revised, even after the existence of security holes has become known. The best example: Stefan Kanthak discovered just a few weeks ago that the BitDefender scanner was using a zlib library dating back to 1998, which, of course, contained a critical error that could be exploited to smuggle in code.

Alternatively, in response to new malicious coding techniques, manufacturers rush to cobble together an unpacker for an EXE packer that has only just appeared. Developers are put under extreme time pressure by this, and hardly any time is left for thorough testing. What then emerges is easy to imagine.

The list of manufacturers of antivirus software with critical security problems reads like a Who's Who of the industry: the blacklist of Zoller and Alvarez includes Avast, Avira, BitDefender, CA, ClamAV, Eset NOD32, F-Secure, Grisoft AVG, Norman, Panda and Sophos. iDefense uncovered critical buffer overflows in Kaspersky's scanner, McAfee's VirusScan and Trend Micro's security products. Secunia found the same thing in Symantec's E-mail Security, and ISS/IBM XForce caught out Microsoft's security products. All of these appeared just this year, and the list is by no means complete: the n.runs specialists alone say they have discovered more than 80 critical holes and passed them on to the manufacturers. As far as they know, only some thirty of them have been closed so far.

Most of these problems are ironed out quietly and secretly by the manufacturers via an automatic update function, without making much fuss about it. Marx confirmed to heise Security that, just this year, he and his team have reported some thirty buffer overflows in antivirus products to their manufacturers. There has not been an official advisory about a single one.

An end to critical security holes is not even remotely in sight. Security services providers eEye and Zero Day Initiative still have a long queue of work due to critical holes in security software. This means that, for these holes, functioning exploits already exist. Alvarez and Zoller also speak of the tip of an iceberg, prophesying that the situation will get worse rather than better in the near future.

There is no quick and easy solution. Administrators could certainly try to isolate the seat of the problem on servers by executing virus scanners with minimal rights in as restricted an environment as possible. But via Web sites, downloads and E-mails, potentially damaging code can also reach desktop systems where that cannot easily be done. n.runs will shortly be filling the gap with a new technology by the name of ParsingSafe. As yet, however, not much more is known about it other than the name.

A fundamental solution will take a long time to thrash out, and it will require the manufacturers of security software to start measuring their products by the standards that have long been taken for granted in other security-related domains. This also includes specific risk analyses and secure development techniques, as well as code reviews and penetration tests, with fuzzing for example.

"Most of the antivirus scanning engines would probably have to be restructured and completely rewritten", is the sobering conclusion of Andreas Marx. These programs, he contends, have so far just grown and grown, and have to some extent been based on approaches and routines that were developed as much as five, ten or fifteen years ago. It has always been a matter of stuffing in new features, but no large-scale revision has been undertaken.

Zoller and Marx agree that basically only a secure software development life cycle could get rid of such problems for good. But the makers of antivirus software are still enjoying extremely high growth rates, so they see no reason to make far-reaching changes. The customer is the one who holds the key to the problem. Instead of confining his next buying decision to questions of price and recognition rates, he could also consider whether the software has gone through a secure software development life cycle. ([E-mail:ju@heisec.de ju])