14 DAY TRIAL // Researchers discovered serious vulnerabilities in popular software apps that can be exploited to disable their defenses and take control of permission list apps to perform malicious actions, according to The Hacker News.
The twin attacks, described by researchers at the University of Luxembourg and the University of London, aim to defeat the secured folder feature of antivirus apps to encrypt files (also known as cut-and-mouse) and disable their real-time protection by faking mouse click events (also known as Ghost Control).
Prof. Gabriele Lenzini, chief scientist at the Interdisciplinary Center for Security, Reliability, and Trust at the University of Luxembourg stated, "Antivirus software providers always offer high levels of security, and they are an essential element in the everyday struggle against criminals".
"But they are competing with criminals which now have more and more resources, power, and dedication".
In other words, the flaws in malware mitigation software cause unauthorized code to override protections. In addition, design flaws in the antivirus vendor's solution Protected Folders can be abused to alter the contents of files with write access to the folder and encrypt user data. Alternatively, wipeware can be used to irrevocably destroy user data.
Protected Folders allow users to define folders that require additional protection from malicious software, potentially preventing any dangerous access to the protected folders.
Malicious code can be embedded in a trusted application
According to the researchers' attack scenario, the malicious code can be used to control a trusted application such as Notepad to perform write operations and encrypt the victim's files stored in the secured folders. To accomplish this, the ransomware reads the files in the folders, encrypts them in memory, and copies them to the system clipboard before launching Notepad and overwriting the folder contents with the data from the clipboard.
By using Paint as a trusted application, researchers discovered that the attack sequence can be used to overwrite user files with a randomly generated image and permanently destroy them.
The Ghost Control attack, on the other hand, might have major ramifications of its own, as imitating legitimate user activities done on an antivirus solution's user interface might allow an adversary to drop and execute any rogue application from a remote server under their control.
14 of the 29 antivirus solutions tested were found to be vulnerable to the Ghost Control assault, whereas all 29 antivirus products examined were found to be vulnerable to the Cut-and-Mouse attack. The researchers did not identify the vendors who were impacted.
According to security researchers, in the field of safety engineering, secure composability is a well-known issue. When components that in isolation provide a certain known attack are combined into a system, they create a larger attack surface. When components interact with each other and with other parts of the system, they create dynamics that an attacker can interact with in unexpected ways.