From sandbox escape to system pwnage, and more

UPDATE (July 30; 08:24 UTC) Comodo has released a hotfix to address these issues. Check out our latest article for details.

Multiple vulnerabilities have been uncovered in Comodo Antivirus, security researchers claim.

The flaws currently remain unpatched, according to Tenable, the security firm that discovered the bugs.

Comodo is yet to respond directly to a request from The Daily Swig to comment on the vulnerabilities, but it has reportedly acknowledged some of the flaws to Comodo as part of an ongoing disclosure process that began back in mid-April.

A variety of bugs that affect Comodo Antivirus, as well as Comodo Antivirus Advanced, are in play.

First up is a flaw (CVE-2019-3969) that is said to allow attackers to bypass signing check, creating a means for local privilege escalation.

Tenable’s David Wells has put together a blog post on Medium explaining how the flaw creates a means for attackers to break out of a sandbox to obtain system access.

A separate bug (CVE-2019-3970) allegedly creates a mechanism for the modification of antivirus signatures, creating a means for attackers to either quarantine benign files on targeted systems or alternatively to bypass these signatures.

These various vulnerabilities are detailed in a post on Tenable’s research blog.

Tenable’s researchers also say they discovered a denial-of-service flaw (CVE-2019-3971), as well as a brace of memory handling flaws (CVE-2019-3972, CVE-2019-3973).

Security researchers have put together a proof-of-concept exploit, as well as a video explaining the flaws discovered in Comodo’s technology, in order to highlight their concerns and further illustrate the risks.

“At the time of this disclosure, we are not aware of any patches released by Comodo that address these vulnerabilities,” Tenable said. “We recommend to keep updated on future Comodo Antivirus releases.”

Responding to questions from The Daily Swig this week, a Comodo spokesperson said: “There have been no reported incidents exploiting any of these vulnerabilities and no customers reporting related issues to us.

“The Comodo product team has been working diligently to resolve all vulnerabilities and all fixes will be released by Monday, July 29.”

The spokesperson added: “We’ll have a hotfix on Monday, and we can provide more information with this release.”

Who guards the guards?

Antivirus security software is designed to protect systems, and is best suited to defending Windows PCs and servers from well-known threats.

Tenable’s discovery is far from an isolated example of flaws in the technology.

Google’s Tavis Ormandy and others have uncovered an array of flaws in different antivirus products over the years.

This steady stream of flaws has encouraged sections of the security community to argue that antivirus products increase the attack surface to such as extent that they cause more problems than they address.

This remains a well-articulated but minority view, with most independent experts more inclined to argue that antivirus technologies continue to have an important role in security defences.

This article has been updated to include comments from Comodo.