DoubleAgent: Taking Full Control Over Your Antivirus

230f4

Hello,

On November 26th, we were first contacted by Cybellum and made aware of an undocumented feature in Windows that can potentially allow an attacker to inject third party code into any process running on the computer, including those processes that are the building bricks of the operating system itself.

Cybellum applied this feature to anti malware solutions including ours, and supplied a working Proof of concept to Bitdefender early December through the Bitdefender Bug bounty program.

This undocumented feature, Microsoft Application Verifier, ships with all versions of Windows and is used for debugging (troubleshooting application code). The functionality it leverages is not a vulnerability in any exploited product, but rather a feature by design to assist developers in the application creation process.

While a fix is scheduled for later this year for Bitdefender solutions to prevent this, the fact that in order for the exploit be successful, it needs to be executed with administrator rights, considerably narrows the attack surface. Its actually easier to uninstall the security solution if you have administrator rights for example.

In order to further minimize the potential impact of the Microsoft Application Verifier exploit Bitdefender recommends that computer administrators and owners enforce the best security practices advocated by the industry: never open unsolicited or unexpected attachments and – most importantly – never run applications as privileged user.