"Symlink race" flaws discovered in 28 antivirus security solutions

Specialized researchers from the RACK911 Labs computer security labs, in one of their recent reports, reported that they had discovered a "symlink race" bug in more than 28 of the most popular antivirus.

This article will also interest you: Has the antivirus solution provider violated the privacy rules

But today it seems that the majority of these bugs have been fixed by the providers of these different antivirus solutions.

According to rack911 researchers, security vulnerabilities could be used by cyber-security guards to clear certain files used by the security tool or even by the operating system, making the target terminal unilisable. These bugs are called "Symlink race" by researchers. In practice, this vulnerability creates a link between the malware and the legitimate program, so that the user executes both and performs actions with the malware instead of the legitimate program and without the latter's knowledge. "Symlink race vulnerabilities are often used to link malicious files to higher-level privileges, resulting in privilege-raising attacks. This is a very real and ancient problem with operating systems that allow competing processes," argues Dr Bonchev, a member of the National Computer Virology Laboratory of the Bulgarian Academy of Sciences. He added: "It has been noted that many programs have suffered from this in the past. ».

The RACK911 lab team has indicated that it has been conducting studies on the issue since 2018. The report that was produced last week was therefore the result of 2 years of research. It was then that they discovered that the 28 tools, running on the systems, Windows, Mac and Linux were all vulnerable to these security vulnerabilities. They informed all suppliers to help them find fixes to this problem. However, the research team stated that: "Most antivirus vendors have repaired their products, with a few exceptions." Some providers have not failed to officially raise their vulnerability to the security breach through press releases while some have simply plugged their loophole into tota silence, avoiding attracting attention. Furthermore, the researchers did not want to mention the names of the solutions that have not yet been corrected.

In addition, what has been held in this story is that antivirus are generally vulnerable to these kinds of security vulnerabilities. And this is because of the way they operate. When the antivirus analyzes in file, there is a short time between when the file is scanned and deemed malicious and when it is deleted. During this time, attacks based on such a security flaw will consist of replacing the malicious file with a symbolic link that will make it look like a legitimate file that is usually the one to which it is linked. For this, when the antivirus tries to get rid of the malicious files detected, it deletes its own files where some important files related to the operating system. This was demonstrated by security researchers who presented it through demonstration scripts. "During our testing on Windows, MacOS and Linux, we were able to easily delete important files related to the antivirus software that made it ineffective and even remove key files from the operating system that would cause significant corruption requiring a complete reinstallation of the operating system," rack's experts said.

Even though the flaw has been fixed on the majority of the products involved, the fact remains that researchers continue to warn: "Make no mistake, the exploitation of these vulnerabilities was quite trivial and seasoned malware authors will have no problem arming the tactics described in this blog post."

For his part, Dr. Bonchev believes that such attacks could have been more dangerous "if they rewrited the files, which could be feasible, and would lead to a total takeover of the attacked system. ». But this scenario will not be so simple to achieve.

Now access an unlimited number of passwords:

Check out our hacking software