Security researchers from computer and network security outfit Cybellum have revealed Vulnerability-related.DiscoverVulnerability a new zero-day code injection and persistence technique that can be used by attackers to take over applications and entire Windows machines . They demonstrated the attack on antivirus solutions , and ultimately dubbed it DoubleAgent , as it turns the antivirus security agent into a malicious agent . “ DoubleAgent exploits a legitimate tool of Windows called ‘ Microsoft Application Verifier ’ which is a tool included in all versions of Microsoft Windows and is used as a runtime verification tool in order to discover Vulnerability-related.DiscoverVulnerability and fix Vulnerability-related.PatchVulnerability bugs in applications , ” the company explained . “ Our researchers discovered an undocumented ability of Application Verifier that gives an attacker the ability to replace the standard verifier with his own custom verifier . An attacker can use this ability in order to inject a custom verifier into any application . Once the custom verifier has been injected , the attacker now has full control over the application ” . In fact , the attack can be used to compromise all kinds of applications , but the researchers chose to focus on antivirus solutions since this type of software is generally considered to be trusted . “ By using DoubleAgent , the attacker can take full control over the antivirus and do as he wish without the fear of being caught or blocked , ” they noted . This includes : Cybellum researchers demonstrated a DoubleAgent code injection against Symantec Norton antivirus , and offered PoC exploit code on GitHub . More technical details about the DoubleAgent technique can be found here . The researchers have notified major antivirus vendors of their findings , and some of them ( Malwarebytes , AVG ) have already issued Vulnerability-related.PatchVulnerability a patch for the vulnerability . Among the still vulnerable antivirus apps are those by Avast , BitDefender , ESET , Kaspersky , and F-Secure . “ Microsoft has provided a new design concept for antivirus vendors called Protected Processes . The new concept is specially designed for antivirus services . Antivirus processes can be created as ‘ Protected Processes ’ and the protected process infrastructure only allows trusted , signed code to load and has built-in defense against code injection attacks , ” the researchers explained . “ This means that even if an attacker found Vulnerability-related.DiscoverVulnerability a new zero-day technique for injecting code , it could not be used against the antivirus as its code is not signed . Currently no antivirus ( except Windows Defender ) has implemented this design , even though Microsoft made this design available more than 3 years ago ” . The vulnerability that allows the DoubleAgent attack works on all Microsoft Windows versions and architectures . The attack technique can be used to take over any application , and even the OS . “ We need to make more efforts to detect and prevent these attacks , and stop blindly trusting traditional security solutions , ” the researchers noted . We implemented Vulnerability-related.PatchVulnerability the fix at the time of reporting and therefore can confirm that both the Avast and AVG 2017 products , launched earlier this year , are not vulnerable . It is important to note that the exploit requires administrator privileges to conduct the attack which is difficult for hackers to achieve

Western Digital My Cloud NAS devices have again been found Vulnerability-related.DiscoverVulnerability wanting in the security department , as two set of researchers have revealed Vulnerability-related.DiscoverVulnerability a number of serious flaws in the devices ’ firmware . WD My Cloud is meant to be a private cloud environment hosted at home or at a small organization ’ s office , and can be accessed either from a desktop located on the same network or remotely , with a smartphone , from wherever else in the world . Users can interact with it either via the administrative user interface or an application ( that uses a RESTful API ) . Zenofex , a member of the Exploitee.rs team , revealed Vulnerability-related.DiscoverVulnerability the existence of a login bypass issue , several command injection flaws , and a number of other bugs on Saturday . Then , on Tuesday , researchers with the SEC Consult Vulnerability Lab published a security advisory warning about : “ Due to [ no anti-CSRF mechanisms ] , an attacker can force a user to execute any action through any script . As the [ OS command injection and unauthenticated arbitrary file upload vulnerabilities ] do not need authentication , those can be exploited Vulnerability-related.DiscoverVulnerability via CSRF over the Internet as well ! ” , the researchers noted . SEC consult found Vulnerability-related.DiscoverVulnerability the flaws in version 2.11.157 of the firmware on a My Cloud EX2 device , but they believe that other My Cloud devices are almost surely vulnerable Vulnerability-related.DiscoverVulnerability as well , as the same ( or pretty much the same ) firmware is used on all of them . Zenofex did his testing on a My Cloud PR4100 device , but also noted that other My Cloud devices are vulnerable Vulnerability-related.DiscoverVulnerability to the same issues . In the wake of these latest revelations , Securify researchers again pointed to their own research and security advisories from January 2017 dealing with the same or similar vulnerabilities , found Vulnerability-related.DiscoverVulnerability on versions 2.21.119 and 2.21.126 of the firmware . All three groups say that the issues have yet to be fixed Vulnerability-related.PatchVulnerability by Western Digital . SEC Consult researchers complained about the company slow reaction to their responsable disclosure Vulnerability-related.DiscoverVulnerability efforts , while Zenofex noted that the company ’ s dismal reputation when it comes to patching Vulnerability-related.PatchVulnerability reported issues . So , he opted for public disclosure Vulnerability-related.DiscoverVulnerability , in the hopes that this will push the company to pick up the pace . “ Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure Vulnerability-related.DiscoverVulnerability is worked out . Instead we ’ re attempting to alert Vulnerability-related.DiscoverVulnerability the community of the flaws and hoping that users remove their devices from any public facing portions of their networks , limiting access wherever possible , ” he noted .