A Mac keyboard with a virus key

Richard Patterson/Flickr

Top antivirus software could have let a hacker crash your computer

Over two dozen antivirus products had the bugs.


Mikael Thalen


Posted on Apr 27, 2020   Updated on Apr 28, 2020, 6:53 am CDT

Over two dozen antivirus products were found to contain vulnerabilities that could have allowed an attacker to crash a user’s computer.

Researchers with RACK911 Labs discovered the bugs, according to ZDNet. The bugs are known as “symlink race” vulnerabilities.

Such a problem results when an ordinary computer file has been linked with a malicious one, allowing an attacker to control the legitimate file.

The attack takes place when an antivirus program is scanning and locating malicious files but has not yet deleted them. That small window is when the attacker can essentially replace the file deemed malicious with a legitimate one.

From there, a hacker could have the antivirus software delete the necessary system files, resulting in a system crash or the entire operating system being corrupted.

RACK911 Labs was able to find these vulnerabilities in 28 major antivirus programs for Linux, Mac, and Windows. Affected products include those from big names companies such as Microsoft, McAfee, Bitdefender, Kaspersky, and Avira.

“Make no mistake about it, exploiting these flaws were pretty trivial and seasoned malware authors will have no problem weaponizing the tactics outlined in this blog post,” RACK911 Labs writes. “The hardest part will be figuring out when to perform the directory junction or symlink as timing is everything; One second too early or one second too late and the exploit will not work.”

The team says it has been finding these bugs in antivirus tools since 2018, alerting each company to the vulnerabilities along the way.

While the majority of the antivirus companies, including F-Secure, AVG, Symantec, and McAfee, responded by patching the bugs, some did not. RACK911 Labs has declined to publicly state which companies have failed to do so.

The researchers hope that by bringing attention to the vulnerabilities, those remaining companies will choose to fix their products.

“Almost every antivirus vendor mentioned on this page is now patched with the exception of a few, who will likely have patches out shortly given the media attention,” RACK911 Labs noted. “The goal of this disclosure was not to name and shame vendors, but to bring attention to how easy it was to leverage the antivirus software to become destructive tools.”

The team also added that after being asked to check “lesser-known” antivirus programs, “all were found to be vulnerable.”



Share this article
*First Published: Apr 27, 2020, 6:00 pm CDT