Symlink race bugs found in 28 popular antivirus programs

According to this report by Rack911, “symlink race” flaws were detected across 28 popular antivirus programs – Tenable Comments

The researchers used a unique method of directory junctions and symlinks to turn almost every antivirus software into self-destructive tools. Given that almost all antivirus software runs with the highest privileges on the operating system, it will continue to be a high-value target for cybercriminals.

Commenting on this Satnam Narang, Principal Research Engineer at Tenable said, “To weaponize the “symlink race” flaws found in 28 popular antivirus products, attackers would first need to establish a local presence on the victim’s system or include the malicious code as part of malware to create a directory junction (Windows) or symlink (macOS/Linux).

This code could be used to remove important system files including those associated with the operating system or antivirus software itself. In doing so, the machine may be rendered useless or the antivirus product would be disarmed, he added.

To successfully exploit these flaws, timing is of the essence as the flaws rely on a race condition. However, researchers found in some cases that timing wasn’t necessary if the malicious code was continually running over and over, it would eventually lead to successful exploitation. 

It’s positive that most of the vendors have worked to address this particular issue in their products. Unfortunately, because antivirus software runs with the highest privileges on the operating system, it will continue to be a high-value target for cybercriminals.