Security researchers from RACK911 Labs said in a report published this week that they found "symlink race" vulnerabilities in 28 of today's most popular antivirus products.
RACK911 says the bugs can be exploited by an attacker to delete files used by the antivirus or by the operating system, resulting in crashes or rendering the computer unusable.
The vulnerability at the heart of these bugs is called a "symlink race[1]," Dr. Vesselin Bontchev[2], a member of the National Laboratory of Computer Virology at the Bulgarian Academy of Sciences, told ZDNet today.
A symlink race vulnerability takes place when you link a malicious and a legitimate file together, and end up executing malicious actions on the legitimate file. Symlink race vulnerabilities are often used to link malicious files to higher-privilege items, resulting in Elevation-of-Privilege (EoP) attacks.
"It's a very real and old problem with operating systems that allow concurrent processes," Dr. Bontchev told ZDNet. "Many programs have been found to suffer from it in the past."
Years of work into researching AV products
In a report published this week[3], the RACK911 team said it's been researching the presence of such bugs in antivirus products since 2018.
They found 28 products across Linux, Mac, and Windows to be vulnerable, and notified vendors as time went by.
"Most of the antivirus vendors have fixed their products with a few unfortunate exceptions," the RACK911 team said this week. Some vendors acknowledged the issues in public advisories [1, 2, 3, 4], while others appear to have rolled out silent patches. The RACK911 team did not name the products that didn't patch.
RACK911 says that antivirus products,