AVG: A Case-Study in Vulnerability Disclosure
Our research team responsibly disclosed a severe vulnerability in AVG Internet Security 2015 build 5736 + Virus database 8919 released January 13th 2015.
Within just two days of disclosure, on Thursday, March 12th, 2015 – AVG released a patch to its user base.
AVG’s response to this flaw is something we should all learn from. It stands in dark contrast with the vulnerability disclosure saga between Google and Microsoft. AVG has elegantly side-stepped this whole battlefield and silently closed the door on this debate.
Vulnerability in a Nutshell
The affected AVG product had allocated a memory page with RWX permissions at a constant predictable address. This allocation had occurred for each created user-mode process.
This flaw significantly diminished the efforts that the threat actor needed in order to exploit a third party application. Effectively, this vulnerability enabled a threat actor to exploit any old vulnerability (for instance, as of 2010) in a 3rd party application in order to compromise the underlying Windows system using a multi-stage process.
We provide further technical details here -http://breakingmalware.com/vulnerabilities/vulnerability-patching-learning-from-avg-on-doing-it-right/
Systems affected by the vulnerability
- Windows Vista
- Windows 7 32 bit
- Windows 7 64 bit
- Windows 8 and onwards. We’d like to note that although the AVG vulnerability existed in these systems as well, Microsoft had introduced its Bottom-up and Top-down Randomization mitigation starting with Windows 8. This mitigation essentially nullified leveraging this vulnerability.
This vulnerability clearly demonstrates the problems in the security eco-system. On the one hand, Microsoft invests loads of resources in defenses, mitigations and enhancements to strengthen its system against compromise. On the other hand, there’ll always be some oversight in applications. Unfortunately, it’s precisely vulnerable third party applications which can lead to the compromise of these same defenses.