Matousec.com is reporting that they have discovered a massive vulnerability in the kernel mode drivers installed by all the major antivirus and internet security products. Apparently, this vulnerability can be used, even by a code running on an unprivileged user account, to bypass the self-defence of the concerned security products.
The list of affected products is huge. Everyone including AVG, Avira, Avast, BitDefender, Kaspersky, McAfee, Comodo, ESET, F-Secure, GDATA, Online Armor, Panda, Sophos, ThreatFire, Trend Micro and Zone Alarm are vulnerable.
The exploit belongs to the category of argument-switch attack. In a multi-tasking environment like ours, the operating system constantly switches between processes. This switching is taken care of by the scheduler. Consider a scenario where the attacker calls system services with innocuous parameters that will definitely pass through the security checks put in place by your antivirus. Now, when the fake thread gets its time slice, it modifies the values of the parameters to malicious ones. If the order of scheduling were such that this event occurs after the security checks have been carried out by the antivirus, but before the service is called, then the attack would be successful.
The vulnerability does seem to rely a lot on chance (a particular race condition). Unfortunately, it can be exploited fairly reliably on systems with multi-core processors. This is because multiprocessing systems allow the execution of two threads from the same program simultaneously, which makes the tricky sequence of execution becomes quite unnecessary. The in-depth explanation of the vulnerability is available here.
In an official blogpost F-Secure has validated Matousec’s findings. While it confirmed that the issue is serious, F-secure stressed that this attack does not “break†all antivirus systems forever.
