Cybersecurity experts at Rack 911 Labs found a security bug in 28 antivirus applications. Hackers can use an error in the system to delete files, install malware, and cause crashes.
The Rack911 Labs report refers to a “symlink race”. A symlink race vulnerability occurs when you link a malicious and a legitimate file. Eventually, you can perform malicious actions with the legitimate file. Hackers use the vulnerabilities in the symlink to connect malicious files to higher privilege items, resulting in Elevation-of-Privilege (EoP) attacks. These attacks happen in a short period of time between scanning a virus and deleting a file.
Popular antivirus applications such as Microsoft Defender, McAfee Endpoint Security and Malwarebytes all contain the bug. Most companies, including Symantec, McAfee and AVG, have already patched the bug. According to Rack911, there are still a few companies that have not updated their software. These companies are not named so as not to undermine their security.
Easy to exploit
The cybersecurity experts tested how difficult it was to compromise the integrity of an antivirus application. They were able to remove important files within the antivirus software in a way that rendered the program useless. They were also able to delete essential data from the operating system itself, which meant that the operating system as a whole had to be reinstalled. These tests were successful in Windows, macOS and Linux.
“Make no mistake, the use of these exploits was quite insignificant, and seasoned malware authors will have no problem arming these tactics,” the report says.
Despite the fact that most companies have patched their software, it is still possible for variations on the Symlink bugs to appear.
Also read: Exclusive interview with Citrix CISO: Fermin Serna, where did it go wrong?