Security researchers have revealed that a vulnerability in almost all antivirus software platforms could have been exploited to disable anti-malware protection and turned into destructive tools.
RACK911 Labs has found a unique method of using directory junctions (in Windows) and symlinks (in macOS and Linux) to turn antivirus software products into self-destructive tools. However, it was reported that most of the antivirus companies have now fixed the vulnerability in their products.
Researchers stated that an attacker must be highly time-sensitive and should know when to exploit the directory junction or symlink vulnerabilities. “What most antivirus software fail to take into consideration is the small window of time between the initial file scan that detects the malicious file and the cleanup operation that takes place immediately after. A malicious local user or malware author is often able to perform a race condition via a directory junction (Windows) or a symlink (Linux & macOS) that leverages the privileged file operations to disable the antivirus software or interfere with the operating system to render it useless,” the researchers explained.