
Bitdefender Anti-Virus: Heap Buffer Overflow via 7z LZMA - landave
https://landave.io/2017/08/bitdefender-heap-buffer-overflow-via-7z-lzma/
======
jimrandomh
With most types of software, if you're stuck with C/C++, you want to keep the
development to a high standard where there aren't any bugs like this. But
anti-virus software is unusual in that it needs to handle malicious input of
an unusually wide variety of file formats, which makes completely eliminating
file-format vulnerabilities basically unfeasible without some sort of broadly-
applicable fix.

That fix could be a memory-safe language, or it could be sandboxing. But the
assumption should be that for any antivirus product which does its file-
parsing in C or C++, and which doesn't sandbox is scanning engine, there's
going to be at least one critical vulnerability in the scanner. Bitdefender is
still unsandboxed, so fixing this particular vulnerability is only of limited
use; there are almost certainly other, similar vulnerabilities in it, so users
running it are vulnerable to anyone with the resources to find one.

AV companies have mostly gotten away with this sort of thing in the past,
because individual AV scanners tend to have low enough market share that they
aren't as desirable targets as web browsers. But Windows Defender recently
broke that trend by being present on every Windows system, and having a
critical vulnerability, so now there are a lot more researchers looking at
unsandboxed AV scanning engines and finding problems.

~~~
QAPereo
What would you recommend instead for a Win platform?

~~~
lucian1900
Nothing. There is no need for anything.

~~~
thephyber
> There is no need for anything.

This is a bit of a broad brush. It assumes that all people always act with the
best security hygiene.

I detest traditional AV as snake oil and realize that there is additional risk
added by using AV, but it does have its place in many threat models,
especially for those who are not internet+security literate.

~~~
ktRolster
AV will make those people who are not internet+security literate _more_
vulnerable. There have been vulnerabilities found in all major anti-viruses,
some of them were really bad. You're better off not using an antivirus. See
for example: [https://arstechnica.com/information-
technology/2017/06/lates...](https://arstechnica.com/information-
technology/2017/06/latest-high-severity-flaw-in-windows-defender-highlights-
the-dark-side-of-av/)

Staying up to date on your updates is the best advice you can give.

~~~
FreakLegion
_> AV will make those people who are not internet+security literate more
vulnerable. There have been vulnerabilities found in all major anti-viruses,
some of them were really bad. You're better off not using an antivirus._

I don't think you can reasonably defend this position.

Let's take a pessimistic guess at the efficacy of antivirus software and say
it blocks 50% of the new malware generated in a given day. Now let's take a
wildly optimistic stab at the added risk of using antivirus and say it
increases your exposure by 1%.

Are you really saying that a 1% risk increase is too high a price to pay for
halving your risk overall?

Don't get me wrong, there are all kinds of reasons for power users to bemoan
antivirus. RCE vulnerabilities are certainly one, but even just day-to-day
usability issues are a legitimate concern. The average user, though, is still
statistically much safer with antivirus.

 _> Staying up to date on your updates is the best advice you can give._

The vast majority of attacks don't involve vulnerabilities, even counting
events like WannaCry. It's mostly down to people clicking on things they
shouldn't be clicking on. Keeping your software updated is important, of
course, but absolutely will not keep you safe.

~~~
mulmen
Oh this looks like a fun game. Let me try. Let's take a pessimistic guess at
the efficacy of antivirus software and say it blocks 20% of the new malware
generated in a given day. Now let's take a wildly optimistic stab at the added
risk of using antivirus and say it increases your exposure by 35%.

Are you really saying that a 35% risk increase is an acceptable price to pay
for a small reduction in overall risk?

You can't just pull numbers out of thin air to make your point.

Experience has shown us that antivirus software does not do what it says on
the tin.

~~~
FreakLegion
_> You can't just pull numbers out of thin air to make your point._

 _> Experience has shown us that antivirus software does not do what it says
on the tin._

Whose experience?

I built WildFire at Palo Alto Networks[1]. We analyzed a few tens of millions
of new potential threats daily, including the VirusTotal firehose.

As part of our internal efficacy and competitive monitoring, we took the top 5
enterprise antivirus products and ran everything coming into WildFire through
them.

The delta between ground truth and what the antivirus engines caught using
only static scanning and emulation was about a third, i.e. better than the
pessimistic estimate of half I threw out. (In the real world, antivirus
actually does better because malware is easier to catch after it starts
running.)

The danger of antivirus, on the other hand, is wildly overstated in this
thread. A small fraction of attacks use vulnerabilities to begin with, and in
the scheme of things, very few antivirus vulnerabilities have been found. 1%
is just a nice, round number chosen for illustrative purposes; it's orders of
magnitude greater than the real risk.

Now, this will surprise exactly no one who works in security, since most new
malware is a minor variant of existing malware and exploits are relatively
uncommon, but for the less experienced folks reading these comments, I implore
you: Don't listen to people who say antivirus is useless or, worse, makes you
less secure.

It isn't. It doesn't. They're wrong.

1\. It's the biggest ATP product out there, took the crown from FireEye c.
2015. [https://www.paloaltonetworks.com/products/secure-the-
network...](https://www.paloaltonetworks.com/products/secure-the-
network/subscriptions/wildfire)

~~~
mulmen
> Whose experience?

Off the top of my head, users of Bitdefender.

You're right of course, my point is that without some evidence you're just
making up numbers to prove your point and any jerk with a keyboard (like say,
me) can do the same thing. Thanks for providing some background to those
numbers.

~~~
xenophonf
This Bitdefender vulnerability doesn't come with a PoC and is difficult to
exploit due to DEP and ASLR---hooray for defense in depth! I've got a thousand
nodes running Bitdefender in environments where malware runs rampant, and I'm
not really that worried about someone coming after us through the scan engine.
What I am going to do is make sure all my clients are up to date, which is
really no different than my existing patch management activities.

------
veeti
> Moreover, the engine runs unsandboxed and as NT Authority\SYSTEM.

Is there an antivirus that _doesn't_ parse untrusted input in a process with
full system privileges? What a joke.

~~~
recentdarkness
Already years (~7+) ago AVG introduced an out of process scanning
implementation that opens the file in question with system rights however
transfers the handle to a lower privileged process (restricted with ACLs) that
actually performs the actual scan

~~~
landave
That's interesting. Unfortunately, AVG has been acquired by Avast last year
[1]. I already looked into the new version of AVG a few months ago, and found
that they have replaced AVG's engine with Avast's engine. Since the scanner
always runs as NTAuthority\SYSTEM in the current Avast version, I would assume
that the same is true for the most recent AVG version. I'm not completely
sure, though, so don't quote me on that.

[1]: [https://press.avast.com/avast-announces-agreement-to-
acquire...](https://press.avast.com/avast-announces-agreement-to-acquire-avg-
for-13b)

~~~
recentdarkness
Well since I am no longer involved with them for a long time, I can't really
say how this all went and what is currently the state.

However this piece is realtively simple to implement on windows so I can only
hope they would implement the same thing for avast eventually at least. This
is IMHO the only sane way to do scanning without exposing the system to a huge
risk

------
WalterBright
"Assuming that the size is not explicitly casted, the compiler should throw a
warning of the following kind:"

In D, implicit truncation of an integer value is an error, not a warning.

I've predicted before that lack of memory safety will be the demise of C in
internet-facing programs. Dealing with the bugs is just too expensive.

~~~
blub
It seems like your prediction is not becoming reality.

I have the following issue: I would like to be able to download a file from
the internet (jpeg, pdf, mp3, mp4, etc) without the risk of getting malware on
a Windows machine. Or Mac. Or Linux.

Can't be done.

Everything is relying on crappy C code dragging around pointers and sizes,
making index calculations, calling malloc and free.

~~~
WalterBright
> It seems like your prediction is not becoming reality.

We'll see. I only made it last May :-)

------
pmoriarty
_" Note also that Bitdefender’s engine is licensed to many different anti-
virus vendors, all of which could be affected by this bug."_

~~~
landave
That's right. The list of anti-virus products that license the Bitdefender
engine is extremely long. Actually, I wanted to include the most prominent
Bitdefender customers in the article to give an impression. I ended up not
doing so, because some license partner use the Bitdefender engine with
disabled archive extraction. In this case, they would not be vulnerable to
this bug, and I didn't want to mislead someone into thinking they are.

~~~
sebazzz
So if Bitdefender develops the engine, what does the anti-virus vendor do?
Only develop the input (definitions)?

~~~
landave
The definitions are licensed with the engine and can usually not be modified.

In a nutshell, most anti-virus vendors that are licensing the Bitdefender
engine extend it with their own engine to improve their detection rate. For
example, they support more exotic file formats and binary packers, or fancy
heuristics, etc. Essentially this means they have the full attack surface from
Bitdefender plus their own attack surface...

------
fosco
Might we agree to recommend to Microsoft users that they should use Microsoft
AV. About 6 months ago we had a similar discussion [0] which arrived at that
conclusion.

[0]
[https://news.ycombinator.com/item?id=13489100](https://news.ycombinator.com/item?id=13489100)

------
atomical
> I want to thank Bitdefender and especially Marius for their response as well
> as for fixing the bug.

I don't see an update for the mac version.

~~~
landave
Bitdefender's core has dynamically loaded modules that are distributed with
the regular definition update, which runs fully automatically. So there is
nothing to do.

~~~
blub
There's also an appstore version which is unlikely to update the application
code together with the definitions.

------
bullen
Bitdefender has problems with HTTP comet stream. Stop buying it so the company
can go bankrupt.

