Microsoft Application Verifier exposed 0day vulnerabilities, the impact of Trend Micro, Kaspersky, Symantec, including a large number of security products-vulnerability warning-the black bar safety net

2017-03-22T00:00:00
ID MYHACK58:62201784550
Type myhack58
Reporter 佚名
Modified 2017-03-22T00:00:00

Description

Recently, Cybellum company found a 0-day vulnerability, can completely control most of the security product. This vulnerability is called“DoubleAgent”is a double-sided Spy, and many security vendors by DoubleAgent effects, including Avast, AVG, Avira, Bitdefender, Trend Micro, Comodo Comodo, ESET, F-Secure, and Kaspersky, Malwarebytes, McAfee, Panda, Quick Heal and Symantec(Norton)。 Currently only a few companies released for the vulnerability the patch. Avast (CVE-2017-5567) AVG (CVE-2017-5566) Avira (CVE-2017-6417) Bitdefender (CVE-2017-6186) Trend Micro (CVE-2017-5565) Comodo ESET F-Secure Kaspersky Malwarebytes McAfee Panda Quick Heal Norton Exploit This attack involves Microsoft non-managed code to run the Validation Tool, Application Verifier application verifier is. By the Windows XP era the introduction of the Application Verifier, in all Windows versions are installed by default, and its role is to help developers quickly in their applications to find a small programming error, and therefore the vulnerability is in all versions of Windows systems are available. The tool in the target application to run the test project load the one called“verifier provider DLL”file. Once loaded, the DLL will be designated as process provider DLL added to Windows registry. Then Windows automatically to the DLL registration name of the DLL injected into all processes. According Cybellum company, Microsoft Application Verifier working mechanism so that a large number of malware has the ability to by higher authority to perform, the attacker may register a malicious DLL to inject to the antivirus or other Endpoint Security Products, and the hijacking proxy. Part of the security products try to protect the other process related registry entries, but researchers have found a way to easily bypass this protection. When malicious software to hijack a secure products, an attacker can use it to do many things, such as allow the security products to make such as hacking as malicious operation-modify the whitelist/blacklist or internal logic, download Backdoor, leaked data, spread malicious software to other machines, encrypted/deleted files, similar to the ransomware software. This malicious code in the system reboot, software upgrade or security products, then the installation process or even after injecting, so this attack is difficult to guard against. The alleged“DoubleAgent”attack is available in all Windows versions to take effect, however, this attack is built on a legitimate tool above, Microsoft also deal without policy.