FOXTROT/ALFA: Horrible Anti-Virus Software, Boeing Cancels Embraer Deal, New iPhone Delayed

Welcome to a new week and with it another issue of FOXTROT/ALFA. Issue 109 to be specific. These are your tech news for Monday, 27 April 2020:

Many Anti-Virus Programs Can Be Disabled with a Relatively Easy Attack

A security company has been able to get almost every anti-virus software on the market (on Windows, macOS and Linux) to self-destruct by feeding it instructions to delete important parts of its own files.

Most antivirus software works in a similar fashion: When an unknown file is saved to the hard drive, the antivirus software will usually perform a “real time scan” either instantly or within a couple of minutes. If the unknown file is determined to be a suspected threat, the file will then be automatically quarantined and moved to a secure location pending further user instructions or it will simply be deleted. What most antivirus software fail to take into consideration is the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after. A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless, etc.

In our testing across Windows, macOS & Linux, we were able to easily delete important files related to the antivirus software that rendered it ineffective and even delete key operating system files that would cause significant corruption requiring a full reinstall of the OS. (When targeting Windows, we were only able to delete files that were NOT currently in use; However, some antivirus software would still remove the file upon a system reboot.) It’s important to note that we primarily focused on self-destructive behavior with these exploits. In some cases when we modified our original exploits to target certain directories and/or files, we observed file permission and ownership changes which could have easily led to privilege escalation type vulnerabilities within the operating system.

Make no mistake about it, exploiting these flaws were pretty trivial and seasoned malware authors will have no problem weaponizing the tactics outlined in this blog post. The hardest part will be figuring out when to perform the directory junction or symlink as timing is everything; One second too early or one second too late and the exploit will not work. With that said, a local malicious user who is attempting to escalate their privileges would be able to figure out the correct timing with little effort. In some of the antivirus software that we exploited, timing wasn’t important at all and a simple loop statement of running the exploit over and over was all that was needed to manipulate the antivirus software into self-destructing.

And which anti-virus products are we talking about here? Well, hold on to your hats!

Windows: Avast Free Anti-Virus, Avira Free Anti-Virus, BitDefender GravityZone, Comodo Endpoint Security, F-Secure Computer Protection, FireEye Endpoint Security, Intercept X (Sophos), Kaspersky Endpoint Security, Malwarebytes for Windows, McAfee Endpoint Security, Panda Dome, Webroot Secure Anywhere

macOS: BitDefender Total Security, Eset Cyber Security, Kaspersky Internet Security, McAfee Total Protection, Microsoft Defender (BETA), Norton Security, Sophos Home, Webroot Secure Anywhere

Linux: BitDefender GravityZone, Comodo Endpoint Security, Eset File Server Security, F-Secure Linux Security, Kaspersy Endpoint Security, McAfee Endpoint Security, Sophos Anti-Virus for Linux

That’s pretty much all of them, isn’t it? But wait… there’s probably more.

The lists above are the antivirus products that we directly tested and sent off individual vulnerability reports for that were confirmed by the vendors. In some cases, the antivirus vendors have multiple products with different names but the underlying (vulnerable) technology is still the same. With that said, the lists above are not an accurate representation of the extent of products that are vulnerable to the attacks described on this page.

But it gets better.

RACK911 Labs began notifying vendors in the fall of 2018 and to this date we have reported security vulnerabilities across all major platforms affecting every well-known antivirus vendor. Given how many vendors were vulnerable, it’s our belief that there are even more lesser-known products out there susceptible to these sorts of attacks. Most of the antivirus vendors have fixed their products with a few unfortunate exceptions.

We have been involved in penetration testing for a long time and never imagined our counterparts in the antivirus industry would be so difficult to work with due to constant lack of updates and total disregard in the urgency of patching the security vulnerabilities.

It’s now Spring of 2020 and every antivirus vendor that we have contacted has had at least 6 months to fix the security vulnerabilities, we feel the time is right to bring our research to the public. The exploits outlined in this post are not hard to perform and it’s time antivirus vendors step up their game to protect their customers!

For example, we also found that macOS and Linux antivirus vendors were constantly using temporary directories with predictable file names which could have resulted in root privilege escalations. To this date, there are still many vendors who write to /private/tmp (macOS) or /tmp (Linux) in such an insecure manner that further exploits would be trivial to perform. We cannot stress this enough: Stay out of tmp!

It’s our hope that antivirus vendors will rethink how file operations take place under user accessible directories. Whether it’s Windows, macOS or Linux, it’s extremely important that file operations happen with the lowest level of authority to prevent attacks from taking place. One must always assume the user is malicious and by performing privileged file operations within reach of the user, it’s opening the door to a wide range of security vulnerabilities!


Boeing Terminates Embraer Takeover

Boeing, as we know, is in dire straits. It’s so bad that they had to cancel their long-planned takeover of jet maker Embraer.

Boeing has terminated its $4.2 billion deal with Brazilian aircraft maker Embraer, the American company announced Saturday. The deal would have given Boeing a bigger stake in the market for smaller jets and help the company develop airplanes more cheaply.

Embraer responded Saturday in a press release that it will “pursue all remedies against Boeing for the damages incurred.” It called Boeing’s decision a wrongful termination.

LOL. Embraer is playing hardball. Good for them.

In its press release, The Brazilian company made reference to the Boeing 737 Max’s two fatal crashes that have cost the aircraft maker at least $18.7 billion. Embraer said the company was manufacturing “false claims” to avoid paying the $4.2 billion because of its “own financial condition and 737 Max and other business and reputational problems.”

The two had planned to create a joint venture by April 24, but the deadline passed without Embraer satisfying the necessary conditions, according to Boeing, which declined to go into details about the specific unmet conditions. The Brazilian company said it believes it fully satisfied the deal’s conditions.

It’s a shame. They would have made a nice team as I don’t trust either of them to produce airworthy planes these days.

Today’s ‘Rona News

The Israeli parliament has ordered the country’s government to stop spying on people to see if they have the ‘Rona. Good. That they could do that in the first place kinda makes a mockery of the rule of law and democratic oversight over there.

Israel’s use of phone tracking technology to track COVID-19 patients has come to a partial end. A parliamentary oversight committee has halted use of the tracking to enforce quarantines after raising privacy concerns. The privacy violations outweigh the benefits, committee member Ayalet Shaked said – the phone monitoring tech doesn’t help much when police already pay visits to COVID-19 patients to ensure they’re following the rules.

Police have so far argued that the tool is effective, having arrested 203 people with the help of phone location info. Law enforcement conducted about 500 random location checks per day.

Well, now they’re just subjugating the infected people in person, I guess. Well, that’s at least a partial improvement.

Meanwhile, in altogether more First World Problems, the production of the next iPhone is reportedly running late because of ‘Rona-related supply chain issues.

Production of the iPhone 12 is reportedly running behind schedule, as Apple wrestles with supply chain issues caused by the COVID-19 pandemic, as well as a travel ban imposed by the Chinese government. According to the Wall Street Journal, Apple is around one month behind schedule.

The iPhone 12 series is expected to be radically different from previous models, with a design that apes the current-generation iPad Pro. Apple is expected to return to a flat chassis, which was last seen with the 2016 iPhone SE. Four devices are reportedly planned, each packing a 5G radio, and using Apple’s upcoming 5nm-process A14 platform.

John Legere Quits T-Mobile US

John Legere, T-Mobile US’s wacky CEO who religiously wore magenta clothing and entertained his social media followers on Sundays with live streams from his kitchen, has surprisingly quit the company.

John Legere, former chief executive officer of T-Mobile US Inc., resigned from the wireless carrier’s board of directors, effective immediately, to pursue other options. Legere said in a filing Friday he wasn’t leaving because of any disagreement with management or the board. He had previously said he planned to continue as a director until his terms ends June 4.

“Although I will be leaving the Board just a few weeks earlier than planned, be assured that I remain T-Mobile’s #1 fan!” Legere said.

Legere, 61, had been rumored to be a candidate for the CEO job at WeWork, but he said on a conference call in November that he “was never having discussions” about that position.

I dunno, man. They always say there were no disagreements, even if there were disagreements. This doesn’t sound amicable to me. I guess we will know in a few years. The truth always eventually comes out with these things…

Lenovo to Offer Fedora Pre-Installed on Laptops

Oh, cool. This is neat:

Red Hat and Lenovo are announcing pre-installed and factory-supported Fedora Workstation on several models of ThinkPad laptops at Red Hat Summit this week. Fedora Workstation will be a selectable option during purchase for the Thinkpad P1 Gen2, Thinkpad P53, and Thinkpad X1 Gen8 laptops – and Lenovo may offer even broader model support in the future. Lenovo has committed to making the pre-installed experience functional only using software from the main Fedora repositories – no third-party repos will be necessary, and by default no proprietary drivers will be installed.

Great news! I bought a T570 two years ago, chucked Windows off and installed an Arch-derivative. I’ve never had any problems with that machine. A thoroughly solid workhorse laptop.

Also Noteworthy

A number of other stories I came across that might be worth a look:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.