The very anti-malware solutions meant to protect organizations for things like increasing privilege can be exploited to do just that.
The solutions “may unintentionally assist malware in gaining more privileges on the system,” according to a CyberArk blog post penned by Eron Shimony. “The vast number of affected machines is troublesome; probably every Windows machine out there has had at least one software that could be abused to gain elevated privileges via file manipulation attacks.”
Anti-malware solutions “are more vulnerable to exploitation because of their high privilege,” Shimony wrote, explaining that the vendors CyberArk reviewed, by and large, fall for the same types of vulnerabilities. While the number of bugs are “staggering,” many can “be easily eliminated.”
CyberArk cited the default DACLs of the C:ProgramData directory as the first cause of many bugs.
Malicious users might find their best opportunity to escalate privilege via DLL hijacking through installers. They’re ripe fruit for attackers because while vendors update inside the packages, “they often forget to update the installer package,” Shimony wrote. Essentially, only the code gets updated so any “software products that rely on installation frameworks are vulnerable to DLL hijacking.”
To protect against anti-malware being exploited for privilege escalation, CyberArk recommended organizations change DACLs before usage, correct impersonating, update installation frameworks and use LoadLibraryEx instead of an old LoadLibrary API.