/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBANGALORE, INDIA: iViZ, an information security company that offers "Green Cloud Security", an on-demand penetration testing for applications, networks and compliance, announced that it had discovered new classes of vulnerabilities in many popular commercial and open source antivirus software. These vulnerabilities could potentially allow attackers to break into systems using such antivirus software.
Bala Girisaballa, vice president, head of product management and marketing, iViz, said: “An attacker first crafts an email with malicious payload and sends it to the target user. When the email is scanned by the vulnerable antivirus software it can either crash the antivirus software or execute arbitrary code resulting in complete security bypass and remote system compromise.
iViZ “Green Cloud Security” vulnerability research team discovered abnormal behaviour in several security tools when handling complex or unusual executable header data especially in the case of executables packed with third party packers like UPX, FSG etc.
In such events, multiple bugs were found in antivirus software, while processing malformed packed executables. Some of these bugs proved to be security vulnerabilities which could make the antivirus itself as a back door for hackers.
The affected antivirus software vendors were informed of this anomalous behaviour. The affected software include many popular commercial and open source antivirus software such as AVG, F-Secure (F-Prot), Sophos, ClamAV, BitDefender, Avast. Other software could also be vulnerable.
Bikash Barai, CEO iViZ, said: “We work closely with the vendors to help them with details and also in developing the solution. The vulnerability is disclosed in public only after coordinating with vendors and ensuring their users’ safety. To ensure that our research cannot be maliciously used by attackers, the proof of concept exploits that demonstrate such real attacks in public are not released."
Companies and businesses in sectors such as banking, finance and insurance, IT/ITES and consulting, online retail, e-commerce, manufacturing, telecommunications, R&D, media among others are highly susceptible to such risks and should make it mandatory to conduct periodic penetration testing to assess the security of their systems and networks.
Networks and applications could include off-the-shelf products (operating systems, applications, databases, networking equipment etc), bespoke development (dynamic web sites, in-house applications etc) and wireless (WIFI, Bluetooth, IR, GSM, and RFID).
“Regular periodic penetration testing can help companies combat the constantly evolving vulnerabilities and threats. Today there is a need for a more educated and alert user, and a vision to look beyond conventional security mechanisms in corporate information security,” Barai added.