UPDATED April 28 with comment from Malwarebytes.
More than 28 consumer and enterprise antivirus products from 16 different brands may have a serious software flaw that could cripple PCs, Macs and Linux boxes, security firm RACK911 reports.
The affected companies include well-known names such as Kaspersky, McAfee, Microsoft and Norton. Windows, macOS and Linux products are all affected.
- The best antivirus software: Protect your PC against threats
- Best Mac antivirus software to lock down your Mac
- Latest: Dell XPS 15 2020 leak reveals a MacBook Pro killer
Exploiting the flaw could trick AV software to delete its own files or even delete critical system files, leaving the system open to attack or even bricking the computer entirely.
"We were able to easily delete important files related to the antivirus software that rendered it ineffective and even delete key operating system files that would cause significant corruption requiring a full reinstall of the OS," RACK911 said in a blog post outlining the findings.
"Most of the antivirus vendors have fixed their products, with a few unfortunate exceptions," RACK911 said. "Given how many vendors were vulnerable, it's our belief that there are even more lesser-known products out there susceptible to these sorts of attacks."
In an update to its initial blog post, RACK911 said, "We have received questions about lesser-known antivirus software not listed on this page and all were found to be vulnerable."
How to protect yourself against this attack
You should make sure that your antivirus software is fully up to date, as any flaw has probably been patched.
Notably, none of our top choices among the best antivirus software for Windows (including products from Bitdefender, Kaspersky and Norton) were named as vulnerable, although some of our picks for best Mac antivirus (from those same brands) were. Fewer Windows consumer products seem to be affected than Mac consumer products or Windows and Linux enterprise products.
It may be that Windows enterprise products have deeper "hooks" into the operating systems than consumer products, or that even the best-known brands (such as Microsoft's Defender software for Mac) are less aware of possible flaws in Mac and Linux than they are in Windows.
The affected antivirus software
RACK911 did not name which AV vendors had not fixed their flaws, but the brands and products found to be vulnerable were as follows. Products that have definitely been patched are indicated, and we'll add more patched products if we're notified of such.
- Avast: Avast Free Antivirus (Windows, consumer)
- AVG: AVG AntiVirus for Mac (Mac, consumer, PATCHED)
- Avira: Avira Free Antivirus (Windows, consumer, PATCHED)
- Bitdefender: Bitdefender Total Security (Mac, consumer, PATCHED); Bitdefender GravityZone (Windows and Linux, enterprise, both PATCHED)
- Comodo: Comodo Endpoint Security (Windows and Linux, enterprise)
- ESET: ESET Cyber Security (Mac, consumer, PATCHED); ESET File Server Security (Linux, enterprise, PATCHED)
- F-Secure: F-Secure Computer Protection (Windows, enterprise, PATCHED); F-Secure Linux Security (Linux, enterprise, PATCHED)
- FireEye: FireEye Endpoint Security (Windows, enterprise)
- Kaspersky: Kaspersky Internet Security for Mac (Mac, consumer, PATCHED); Kaspersky Endpoint Security (Windows and Linux, enterprise, both PATCHED)
- Malwarebytes: Malwarebytes for Windows (Windows, consumer, PATCH COMING)
- McAfee: McAfee Total Protection (Mac, consumer); McAfee Endpoint Security (Windows, enterprise); McAfee Endpoint Security (Linux, enterprise, PATCHED)
- Microsoft: Microsoft Defender (Mac, enterprise, PATCHED)
- Norton: Norton Security (Mac, consumer, PATCHED)
- Panda: Panda Dome (Windows, consumer)
- Sophos: Sophos Home (Mac, consumer, PATCHED); Sophos Intercept X (Windows, enterprise, PATCHED); Sophos Antivirus for Linux (Linux, enterprise, PATCHED)
- Webroot: Webroot SecureAnywhere (Windows and Mac, consumer, both PATCHED)
UPDATES: Malwarebytes told us April 28 that it is "working on a patch for this issue that we expect to have available for customers shortly."
Microsoft told us April 29 that "none of our antimalware products are currently vulnerable to the methods discussed in this research." FireEye told us that same day that "we don't have anything further to add on this topic."
Avast told us May 1 that this flaw "does not apply to Avast or AVG Antivirus (free or paid) products because checks performed by the Avast and AVG File Shield would detect and block the attack."
How the attack works
Basically, the attack tricks the AV software into thinking a critical file is actually malware, which the AV software then quarantines or deletes.
This is possible because any user or process can create a link to other directories (in Windows) or files (in Mac and Linux). If AV software spots a malicious file, it flags the file for quarantine or deletion -- but, crucially, that action doesn't happen right away.
In the brief interval, which can be only a few seconds, between flagging a malicious file and the AV software's neutralization action, the attacker can create a link from the malicious file's location to that of an identically named file elsewhere on the machine.
So when the AV software comes back around and deletes or quarantines what it thinks is a malicious file, it's actually deleting a perfect legitimate, even crucial, file elsewhere on the system.
"One second too early or one second too late and the exploit will not work," the RACK911 blog explains.
Any kind of malware could pull this off
This attack cannot be done remotely. The attacker must already have access to the system, but that's easier that it seems. Any unprivileged malware that got onto the system by other means would be able to pull it off. The best antivirus software will go a long way to prevent that from happening.
Nevertheless, RACK911 had some choice words for the antivirus vendors it worked with to fix these flaws.
"We have been involved in penetration testing for a long time and never imagined our counterparts in the antivirus industry would be so difficult to work with due to constant lack of updates and total disregard in the urgency of patching the security vulnerabilities," its blog post said.
"It's extremely important that file operations happen with the lowest level of authority to prevent attacks from taking place," it added.
"One must always assume the user is malicious and by performing privileged file operations within reach of the user, it's opening the door to a wide range of security vulnerabilities."
