Recently, the cybersecurity expert has revealed all the details of security vulnerabilities that are found in popular antivirus solutions that could allow the threat actors to promote their escalated privileges.
In one of the reports that have been assembled by the CyberArk security team claims that all these high privileges are connected with anti-malware products. These products present them more vulnerable to exploitation through a file manipulation attacks, appearing in a situation where malware obtains advanced permissions on the system.
The ProgramData record is applied by applications to collect data that is not distinct to a user. It implies that the processed services that are not attached to a particular user would use ProgramData rather than %LocalAppData%, which is available by the current logged in user.
All these bugs are caused by the default DACLs for the “C:ProgramData” folder of Windows. As we said that while using this application, the users can collect data without asking for further permission.
Most of the user has both write and delete permission on the base level of the index; it increases the possibility of a privileged right when a non-privileged process generates a new folder in “ProgramData” that could be later obtained by a privileged method.
Shared the same log file possibly enables the threat actor to exploit the privileged method to remove all the files and generate a symbolic link that would point to any craved arbitrary file with ill-disposed content.
Not only this, but the CyberArk experts have also demonstrated that it is probable to build a fresh folder in “C:ProgramData” before a privileged method, linked with antivirus software, that has been performed.
DLL hijacking provides the best possibilities for ill-disposed users to increase their privileges in many ways. This opportunity are most profitable for the threat actors, as vendors update the interior packages, but they often overlook to update the installer package.
However, privilege increase through DLL Hijacking must not depend on writeable records in the %PATH%. And that’s why we have mentioned some partial shortlist of installation frameworks that have been found vulnerable to such an attack. Here are the installation frameworks mentioned below:-
According to the CyberArk report, there are some solution that can bypass this vulnerability, and these solutions are very easy to apply, here we have mentioned below:-
All these data that we have mentioned are beneficial and easy to apply. Apart from this, the implications of these bugs are usually full privilege increase in the local system.
Just because of the high privilege level of security products, an inaccuracy could serve the malware to maintain its foothold and generate more losses to the company.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
Also Read:
A novel cryptomining campaign has been identified that exploits misconfigured Jupyter Notebooks, targeting both Windows…
Amazon Web Services Simple Notification Service (AWS SNS) has emerged as a new vector for…
Cybersecurity researchers have discovered that DeepSeek R1, an open-source large language model, can be manipulated…
The rise of remote work has significantly increased the attack surface for cybercriminals, making robust…
A new, surprisingly simple method called Context Compliance Attack (CCA) has proven effective at bypassing…
A Russian-speaking actor using the Telegram handle @ExploitWhispers leaked internal chat logs of Black Basta…