Five Zero-Days Found in Comodo Antivirus Software
Though antivirus software is used to protect PCs and other devices from unknown malware and threats, Comodo – which has over 85 million desktop software installations across more than 700,000 business customers – is riddled with vulnerabilities that would ultimately grant an attacker complete control over the machine. Researchers discovered a sandbox escape and a privilege escalation to SYSTEM, according to today’s blog post. An attacker could even disable the antivirus altogether, leaving the device unprotected and vulnerable, researchers explained.
“Comodo uses many IPC mechanisms between its various AV components: Filter Ports, Shared Memory, LPC, and COM,” wrote Tenable’s David Wells.
“We happen to know Comodo has the capability to invoke scan jobs from low-privilege processes such as explorer.exe (via it’s Context Shell Handler – (the menu that appears when user right clicks)) or Cis.exe (Comodo client GUI). These scan jobs are executed by invoking routines in CAVWP.exe which runs as SYSTEM.”
In total, researchers discovered five different vulnerabilities, which are demonstrated in a proof-of-concept video that illustrates the risks.
Researchers wrote that they had disclosed the vulnerabilities to Comodo on April 17. The company confirmed some of the vulnerabilities on May 7, adding that it is awaiting confirmation of others. According to the disclosure, Tenable followed up to request a status update several times before Comodo reported on June 7 that the “LPE vulnerability is partially due to Microsoft's fault.”
On July 8, Tenable asked for a status update on when fixes would be released. As of the July 22 disclosure, researchers had not been made aware of a patch to address these vulnerabilities. In an email to Infosecurity, a Comodo spokesperson wrote, "There have been no reported incidents exploiting any of these vulnerabilities and no customers reporting related issues to us. The Comodo product team has been working diligently to resolve all vulnerabilities and all fixes will be released by Monday, July 29."
Source: Information Security Magazine