Nearly three months after being first released to the business market, Vista had a near perfect track record (excluding a design weakness in voice) against remote exploits until this Tuesday. Ironically the culprit happens to be Microsoft's Malware Protection which is used in all of Microsoft's antivirus products including Windows Defender for Vista. It's like going to the doctor for minor stitches and the doctor uses an infected needle that gives you a fatal diseaseThis is just another example where we have the software charged with scanning and detecting malicious code being tricked by a package rigged to explode when inspected.
Last May I said that running desktop-based anti-Malware protection is like having the bomb squad inspect a suspicious package inside your house. Antivirus is like any other software that any additional code added to a system merely adds more vectors for exploitation. In the case of antivirus or anti-spyware software it's even worse because the code is running with system level privileges so any exploitation of that code yields a system-level compromise. If it was merely a user-level application like Office running under Vista, an exploit still has to get the user to agree to elevate the code with UAC. If the anti-Malware code gets compromised, the malicious code is automatically granted the keys to the kingdom. Microsoft isn't alone in this regard and just last week we had a critical exploit for Trend Micro's antivirus software. In fact we still have worms actively trying to scan and exploit Symantec's antivirus engine.
This time we have a PDF parsing issue with Microsoft's Malware detection engine, last week it was a UPX compressed executable compromising Trend Micro's Malware detection engine when parsed. Before that it was compressed ARJ files rigged to explode. This history of HEAP exploitation in antivirus packages is long and plentiful and every major antivirus vendor has been affected one time or another. What's sad is that software that's suppose to protect you actually exposes you to being exploited even worse than if you hadn't had that "protection" software installed in the first place. It's like going to the doctor for minor stitches and the doctor uses an infected needle that gives you a fatal disease. If I didn't get bugged every few minutes for running Vista with Defender off, I'd have disabled it long ago. The fact that it was patched by Microsoft the day the vulnerability was announced doesn't make me feel a whole lot better or any of these anti-Malware solutions. The fact that Vista has added HEAP protection might improve this situation but we're still not clear if it mitigates this particular exploit or if it will protect against future HEAP exploits.
What I'm wondering is why don't the anti-Malware vendors run their parsing engines as a separate user-level process with access to a single folder on the hard drive. The main antivirus program should take inbound files and shove it in to that folder and let the parsing engine run a scan. If it blows up the worst thing that can happen is that the contents of that temporary folder gets incinerated which doesn't bother me one bit. Going back to our bomb squad analogy, it would be like installing a thick bomb containment chamber inside your home. When a suspicious package comes in, put it in the chamber and open the package inside the chamber. If it explodes then no harm done. If it's nothing dangerous take it out and declare it safe. The first antivirus vendor that sticks their file parsing engine in a bomb containment chamber has my personal blessing. Until then, they're all nothing but Malware enabler engines.