PALO ALTO, Calif., Jan. 24, 2019 /PRNewswire/ -- ILLUMANT, a penetration testing and security assessment firm, today announced the discovery of a critical vulnerability in firewall maker Check Point's anti-virus software (ZoneAlarm). The vulnerability is due to insecure implementation of .NET services developed using Windows Communication Foundation or "WCF." If exploited, it allows a malicious user with low privilege access to escalate privileges to SYSTEM level (the highest Windows privilege level). Illumant is calling this bug class "OwnDigo," a twist on the name "Indigo" — the former codename of WCF. The vulnerability is exploitable with the anti-virus software enabled.
Exploit Targets Software Designed to Protect
ZoneAlarm anti-virus, like other anti-virus software, is designed to protect users and their computers from dangerous malware and breaches. This vulnerability, however, demonstrates the risk that anti-virus software can pose to system security. Anti-virus software must run at the highest privilege level to effectively protect systems against malware. Hence vulnerabilities in this software can be extremely dangerous.
The risks anti-virus products pose has been identified previously. In 2016, Google researcher Tavis Ormandy announced numerous critical vulnerabilities in Symantec's suite of anti-virus products. This vulnerability demonstrates once again that security software vendors must be diligent about the security of their own products and applications.
"This is a stark reminder to the security software industry," said ILLUMANT co-founder Matija Siljak. "Security software manufacturers need to pay extra attention to the security of their own software lest their products become the vulnerability that allows for the propagation of cyber-attacks rather than the defense against them."
Latest Example from a New Class of Vulnerabilities
This ZoneAlarm issue is the latest in a lesser-known class of vulnerability that exposes the WCF attack surface. Illumant has coined the term "OwnDigo" to describe this vulnerability class.
"In this case, we've exploited services in ZoneAlarm," said Chris Anastasio, Senior Security Analyst at ILLUMANT. "But the methodology is applicable to many other programs. WCF is widely used in .NET applications, and initial research indicates that many other implementations are not adequately secured. In fact, other researchers have recently published similar vulnerabilities."
How to Protect Yourself
ILLUMANT coordinated the timing of this press release with Check Point to ensure that a patch for this vulnerability was already published (here & here). ZoneAlarm users should ensure their anti-virus software is up-to-date.
Other software publishers should assess their own applications and implementations of WCF to ensure their software is not vulnerable.
ILLUMANT credits Check Point for being extremely responsive during the vulnerability disclosure process, taking security issues seriously, making bug reporting simple (through a form on their website) and quickly developing a fix for this bug to protect their customers.
Read the full report on this vulnerability and the OwnDigo class of vulnerabilities.
ILLUMANT provides vulnerability research, penetration testing and security assessments, as well as awareness training, and security compliance services to companies of all sizes and verticals, including Fortune 500 companies, universities, health care providers, government institutions, startups and many others. ILLUMANT is a privately held company headquartered in Palo Alto, California.