Your anti-virus might not be as safe as you thought.
An expert from COSEINC, a computer security firm based in Singapore, recently presented some shocking findings at a conference. He tested at least 17 different anti-virus products and found bugs in 14 of them. On top of that, he suggested that, in some ways, anti-virus software can even make you MORE vulnerable rather than less. Here's a quote from one of his presentation slides:
In general, AV software...
- ...doesn't make you any safer against skilled attackers.
- ...increase your attack surface.
- ...make you more vulnerable to skilled attackers.
- ...are as vulnerable to attacks as any other application.
Some AV software...
- ...may lower your operating system protections.
- ...are plagued of both local and remote vulnerabilities.
The researcher, Joxean Koret, is saying that talented hackers who know the ins and outs of how anti-virus software works can actually use it against you. When he talks about "attack surface," he's referring to the amount of code a hacker has to work with to find an exploit. Anti-virus programs need to recognize lots of different file formats to stop threats. They typically operate with the highest privileges possible. Because of that, it increases the number of doors a hacker could conceivably find into your computer.
An anti-virus is a program that's designed to protect operating systems and programs from attacks. But Koret is saying that if someone talented enough goes after the anti-virus program itself, he or she should be able to find a way in. Anti-viruses don't often have processes in place to protect themselves from attacks - they're just like any other program in that way.
Koret didn't list all the anti-viruses he tested, nor did he publish all the flaws he found. He stated that he doesn't provide his research for free, and the onus is on anti-virus companies to do a better job auditing their own products. Here's a limited list of the products and bugs from his slideshow:
- Avast: Heap overflow in RPM (reported, fixed and paid Bug Bounty)
- Avg: Heap overflow with Cpio (fixed...)/Multiple vulnerabilities with packers
- Avira: Multiple remote vulnerabilities
- BitDefender: Multiple remote vulnerabilities
- ClamAV: Infinite loop with a malformed PE (reported & fixed)
- Comodo: Heap overflow with Chm
- DrWeb: Multiple remote vulnerabilities (vulnerability with updating engine fixed)
- ESET: Integer overflow with PDF (fixed)/Multiple vulnerabilities with packers
- F-Prot: Heap overflows with multiple packers
- F-Secure: Multiple vulnerabilities in Aqua engine (all the F-Secure own bugs fixed)
- Panda: Multiple local privilege escalations (reported and partially fixed)
- eScan: Multiple remote command injection (all fixed? LOL, I doubt...)
- And many more...
Just because you don't see your anti-virus on this list doesn't necessarily mean it's secure. Anyway, no anti-virus will ever be 100% secure against all attacks. New malware is being created constantly, and almost all programs have bugs hidden in them somewhere just waiting to be found.
As you can see, avast! and ClamAV have each fixed the specific bugs Koret discovered. avast! uses a so-called "Bug Bounty," which means the company offers a reward for security flaws brought to their attention by private "white hat" or "good guy" hackers. Koret recommended more anti-virus companies begin offering Bug Bounties to decrease the risk to users.
Before you panic and delete your anti-virus, know that I DO NOT recommend that! Even though, as Koret states, an anti-virus can theoretically increase your risk from "skilled attackers," the sheer volume of unskilled, scattershot attacks that your anti-virus software does catch makes it critical. Nowhere in Koret's report does he recommend deleting your anti-virus. In fact, here is the only advice he gives for consumers:
Recommendations for AV users
- Do not blindly trust your AV product.
- BTW, do not trust your AV product.
- Also, do not trust your AV product.
The key word is "blindly." It's important to know what the limitations and risks are with any security program. Some are more effective than others. For instance, avast! consistently has some of the highest ratings from independent experts. Remember that most anti-virus makers are constantly working to find and kill bugs. Practicing good habits like keeping clear of sketchy websites, avoiding phishing attacks, staying safe on public Wi-Fi, using strong, unique passwords and regularly updating against new threats is critical.