Antivirus vendor Bitdefender said in an emailed statement that targeted attacks against endpoint security programs "are definitely possible," but that they will likely be aimed at enterprise environments, not consumers.
Penetration testers have long been aware of the exploitation potential of antivirus products. A security researcher who works for a large technology company said that his team often tries to exploit vulnerabilities in antivirus management servers during penetration testing engagements because those servers have privileged control over endpoint systems and can be used for lateral movement inside corporate networks. He wished to remain anonymous because he didn't have approval from his employer to comment for this story.
Exploits for corporate antivirus management servers were listed in the portfolio of Vulnerabilities Brokerage International leaked from Hacking Team and can also be found in public exploit databases.
Antivirus vendors don't seem too concerned about the potential for widespread attacks against their consumer products. For the most part, researchers agree that such attacks are unlikely for now because typical cybercriminal gangs have other, more popular, targets to attack such as Flash Player, Java, Silverlight, Internet Explorer or Microsoft Office.
However, the creators of those widely used applications have increasingly added exploit mitigations to them in recent years, and as more people update to newer and better protected versions attackers might be forced to find new targets. Therefore, future attacks against antivirus products used by tens of millions or hundreds of millions of consumers can't be ruled out, especially if cybercriminals get their hands on previously unknown -- zero-day -- vulnerabilities, as they have done from time to time.
For now, though, organizations rather than consumers might face the greatest risk of attack through antivirus flaws, especially those operating in industries frequently targeted by cyberespionage groups.
Exploiting antivirus products is too easy
Antivirus products are created by humans, and humans make mistakes. It is unreasonable to expect such programs to be completely bug-free, but it's fair to expect them to have fewer flaws than other types of software and for those flaws to be harder to exploit.
It's also reasonable to expect companies that are part of the IT security industry to follow secure programming guidelines, to implement common anti-exploitation defenses in their products and to perform frequent code audits and vulnerability testing.
Unfortunately, these things seem to be rare in the antivirus world.
Antivirus programs need to be able to inspect a lot of data and file types from a variety of sources: the Web, email, the local file system, network shares, USB attached storage devices, etc. They also have a large number of components that implement various layers of protection: drivers for intercepting network traffic, plug-ins that integrate with browsers and email clients, graphical user interfaces, antivirus engines with their subsystems that perform signature-based, behavior-based and cloud-based scanning and more.
Sign up for CIO Asia eNewsletters.