This is what security researchers call a very large attack surface, meaning there is a lot of potentially vulnerable code that attackers can reach in a variety of ways. Furthermore, when it comes to antivirus products, much of this code runs with the highest possible privilege, something that researchers argue should be avoided as much as possible.
Research shows that antivirus products provide "an easily accessible attack surface that dramatically increases exposure to targeted attacks," said Google security researcher Tavis Ormandy in a blog post back in September, in which he analyzed one of the many antivirus vulnerabilities he found in recent months. "For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software."
Since June, Ormandy has found and reported over 25 vulnerabilities in antivirus products from ESET, Kaspersky Lab, AVG and Avast. In the past he also found flaws in products from Sophos and Microsoft.
Many of the flaws found by Ormandy stemmed from file and data parsing operations, which have historically been a source of vulnerabilities in all types of applications.
"In future, we would like to see antivirus unpackers, emulators and parsers sandboxed, not run with SYSTEM privileges," Ormandy said. "The chromium sandbox is open source and used in multiple major products. Don’t wait for the network worm that targets your product, or for targeted attacks against your users, add sandboxing to your development roadmap today."
Ormandy is not the first to sound the alarm about the lack of security mitigations like sandboxing in antivirus products and the fact that too many of their components run with system privileges.
In 2014, a security researcher named Joxean Koret found remotely and locally exploitable flaws in 14 antivirus products and their engines. He made largely the same observations as Ormandy.
According to Koret, at the very least, the antivirus industry needs to adopt techniques like privilege separation and sandboxing, but more is needed to truly secure antivirus products.
Many such programs are vulnerable to man-in-the-middle attacks because they don't use SSL/TLS for communication and the components they download are often not signed. They don't implement any of the anti-exploitation measures that modern browsers have and they don't use emulation to scan executable files or use memory-safe languages, he said via email.
Even worse, evidence suggests that many antivirus products are not even properly audited for security flaws, Koret said. "For example, looking at the vulnerabilities discovered by Tavis Ormandy, it's absolutely clear that they never audited the software at all because such vulnerabilities would be detected by an auditor during the first assessment in, probably, one week."
Sign up for Computerworld eNewsletters.