Posted by: Samker
« on: 02. March 2015., 10:12:28 »Bitdefender is set to fix a security flaw in its products that meant revoked certificates for potentially malicious sites could be replaced with legitimate ones.
The problem, which the security vendor considered a low-level threat, arose when revoked certificates were replaced with a BitDefender certificate for the purpose of scanning HTTPS traffic.
That meant admins of potentially dodgy sites could be given a means of attacking users.
The Chief Research Officer of Risk Based Security, Carsten Eiram, reported the flaws in BitDefender's Antivirus Plus, Internet Security, and Total Security lines which are set to be fixed this week.
“HTTPS scanning issues are something that a lot of people are focusing on,” Eiram told the IDG News Service: http://www.networkworld.com/article/2889693/some-bitdefender-products-break-https-certificate-revocation.html
“Someone is bound to download and check certificate validation in various security products including BitDefender.
“It’s just a matter of downloading the product and then visiting a site with a revoked certificate to see the unsafe behaviour.”
BitDefender's slip was light years from the dangers posed by the privacy-annihilating SuperFish interception kit or the borked PrivDog HTTPS fondler which prompted anger from privacy and security types over the last fortnight.
Its platforms replace HTTPS certificates to ensure a given site is legitimate. It first checks that a certificate is listed for the correct site and that is not expired, but failed to look for revocation status.
Eiram said feasible attacks include ARP spoofing, DNS hijacking, and evil twin WiFi attacks which can allow attackers to steal a victim's authentication tokens.
He says it it would be easy for attackers to test if other security platforms were meddling with certificate revocation checking using online services (*test by yourself): https://revoked.grc.com/
In July researcher Stefan Viehbock found since fixed holes in BitDefender's Gravity end-point protection platform that allow hackers to target corporate infrastructure allowing attackers to move laterally through a network: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140716-3_Bitdefender_GravityZone_Multiple_critical_vulnerabilities_v10.txt
(ElReg)