It has been reported that security researchers have found “symlink race” vulnerabilities in 28 of today’s most popular antivirus products. The researchers said in a report that the bugs can be exploited by an attacker to delete files used by the antivirus or by the operating system, resulting in crashes or rendering the computer unusable. Given that almost all antivirus software runs with the highest privileges on the operating system, it will continue to be a high-value target for cybercriminals.
To weaponise the “symlink race” flaws found in 28 popular antivirus products, attackers would first need to establish a local presence on the victim’s system or include the malicious code as part of malware to create a directory junction (Windows) or symlink (macOS/Linux). This code could be used to remove important system files including those associated with the operating system or antivirus software itself. In doing so, the machine may be rendered useless or the antivirus product would be disarmed.
To successfully exploit these flaws, timing is of the essence as the flaws rely on a race condition. However, researchers found in some cases that timing wasn’t necessary if the malicious code was continually running over and over, it would eventually lead to successful exploitation.
It’s positive that most of the vendors have worked to address this particular issue in their products. Unfortunately, because antivirus software runs with the highest privileges on the operating system, it will continue to be a high-value target for cybercriminals.