Unwittingly flaws in some security software might be assisting malware itself in gaining access to your system.
According to researchers, certain flaws in antivirus software provide threat actors with the capability of privilege escalation in vulnerable systems. When every Windows system has at least one such software that can be exploited via file manipulation, the number of machines that can be exploited becomes huge.
- Researchers claim the bugs stem from Default Discretionary Access Control Lists (DACLs) of the C:\ProgramData directory. These lists are utilized by various applications installed on the system to store data without requiring additional permissions.
- If a non-privileged user creates a directory in ProgramData can be used later by a privileged process since this process is not connected to a specific user.
- The insufficient address space verification within IOCTL handlers of device drivers is another cause for the security risks in some cybersecurity solutions.
List of the Common Vulnerability Exposure found as shared by researchers
- CVE-2020-25045, CVE-2020-25044, CVE-2020-25043
- CVE-2020-7250, CVE-2020-7310
- CVE-2019-19548
- CVE-2020-9290
- CVE-2019-8452
- CVE-2019-19688, CVE-2019-19689 +3
- CVE-2020-13903
- CVE-2019-1161
Some other incidents that display different ways to reach infected systems –
- A technique wsreset(.)exe can be used to exploit the Windows 10 Microsoft Store by bypass antivirus protection on a system, along with evading detection.
- The KryptoCibule malware family has been detected to dodge anti-malware to steal cryptocurrency.
Full privileged escalation on local systems is allowed by the bugs mentioned in the article above. Threat actors can acquire a foothold in the system and wreak havoc on an organization through it. Although the software manufacturers have addressed the flaws these incidents have only shown how some security providers can end up being the doorway to malice for our systems.
To read more, please check eScan Blog