Follow

09/01/2017: Windows Application Verifier Antivirus DLL Injection | Security Bulletin

Threat Summary

Overview

There is a vulnerability in Microsoft’s Application Verifier. Application Verifier is a runtime verification tool for unmanaged code. An authenticated attacker can leverage this to inject their own custom verifier into any process. An attacker can take full control of the AV by injecting code and bypassing all of its self-protection mechanisms.

Exploitation

Stages

  1. An authenticated attacker (within admin privileges) injects Double_Agent DLL into antivirus process (one of a number of attack vectors).
  2. The attacker has full control over the antivirus product to inject further code.

Prerequisites

The attacker must have authenticated access to the system.

Vulnerability Description

There is a vulnerability in Microsoft’s Application Verifier. Application Verifier is a runtime verification tool for unmanaged code. An authenticated attacker can leverage this to inject their own custom verifier into any process. According to the original third party researchers, once the custom verifier has been injected, the attacker has full control of the application. There are several reported attack vectors, but currently the only demonstrably exploitable vector is attacking antivirus products. An attacker can take full control of the application verifier by injecting code and bypassing all of its self-protection mechanism.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

Detection of this threat is provided via the Alert Logic ActiveWatch™ for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.

Recommendations for Mitigation

Update to the latest version of your antivirus software.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.