Much has been made of a reported zero-day exploit called DoubleAgent. According to security vendor Cybellum, this is a nasty threat that attackers can use to compromise antivirus software. The hijacked antivirus is then turned against the very organizations they’re meant to protect.
Is it really as menacing as all that? Not exactly.
Sophos is conducting its own investigation to see if it’s affected by such a threat. So far, the answer is no.
But there’s more to this story than whether or not antivirus is under threat.
Security practitioners commenting on the KernelMode.info forum have picked apart Cybellum’s findings in recent days, noting that it’s specifically a Windows vulnerability. Some pointed out that the affected component was not undocumented, as reports have suggested. The feature has been around for a long time, and Microsoft published a technical breakdown in August 2012.
Meanwhile, Alex Ionescu , vice-president of EDR strategy at CrowdStrike, claimed in a series of tweets that Cybellum copied and distorted his own research:
With all that in mind, let’s look at what this vulnerability is really about, when it was actually discovered and what Sophos is doing to protect people.
DoubleAgent exploits a legitimate Windows tool known as Microsoft Application Verifier and supposedly works against antivirus products from numerous vendors. An article in Dark Reading made it sound particularly ominous, saying:
The exploit gives attackers a way to turn an antivirus product … into malware for snooping on users, stealing data from their systems, and for moving laterally across the network and sabotaging the system, Cybellum said. Most importantly, since the malware would masquerade as an AV product, it would also give attackers a way to maintain persistence on a compromised system for as long as they wanted.
The Microsoft Application Verifier feature at the heart of this vulnerability has been around since at least Windows XP. It’s a Windows feature that allows developers to perform runtime verifications of their applications to find and fix flaws.
The Dark Reading article describes Application Verifier as an undocumented feature. In fact, Microsoft mapped it out back in August 2012, describing it this way on the Microsoft website:
Application Verifier (AppVerif.exe) is a dynamic verification tool for user-mode applications. This tool monitors application actions while the application runs, subjects the application to a variety of stresses and tests, and generates a report about potential errors in application execution or design. Application Verifier can detect errors in any user-mode applications that are not based on managed code, including user-mode drivers. It finds subtle programming errors that might be difficult to detect during standard application testing or driver testing.
Several antivirus vendors called out as potentially vulnerable said late last week that they’ve already patched their products against this flaw and are not at risk. Those using Intercept X are protected from DoubleAgent, as are users of Sophos Endpoint. The investigation also showed that Sophos itself is protected.
Sophos said in a statement:
From what we have seen so far, this is a bit of an overblown threat. If an attacker can get code to run with administrator permissions on your computer, this is one of several ways to inject malicious behavior into existing software. And it will work on most software, not just antivirus. In our tests with the proof-of-concept code, the attack doesn’t work on a computer with Intercept X installed. That said, we take any potential threat seriously, so we’ll be looking at what else we can do to detect and block this type of threat in the future.
A coming update for Intercept X will protect any application — not just antivirus — on the endpoint against the DoubleAgent attack.
DoubleAgent is also another example of an exploit that takes advantage of admin rights. Though Intercept X protects users against this sort of thing, it’s another reminder that admin access should be granted sparingly. In other words, users should only get the access they need to do their jobs and nothing more.
In many cases, people are still admins on their PCs without really needing it, though this is also something Microsoft and others have remedied with newer versions of their operating systems. Windows 10, macOS and Linux all start off with non-root accounts. A person’s access can be increased as needed, but it’s no longer by default.