Or Yair, a security researcher at SafeBreach, published a proof-of-concept (POC) showing how you can trick antiviruses into permanently deleting harmless files on your computer.
POC is called “Aikido” and is inspired by the Japanese martial art used to turn the aggressive movements of opponents against oneself.
Our PoC shows without a doubt that the Aikido wiper works. Microsoft has already identified the exploit in Defender and patched the vulnerability.
But there were other security software makers like Avast, AVG and TrendMicro that were vulnerable to this exploit. Other popular solutions such as McAfee and BitDefender are not affected.
Here is the full list of tested products.
Yair mentions that Aikido wiper uses a vulnerability called time-of-check to time-of-use (TOCTOU).
It is an anti-virus solution that first detects and identifies a file as malicious and then deletes it.
Aikido using TOCTOU is used to insert an alternate path after detecting malware that leads to the deletion of normal files instead of malicious ones. Even system files could be permanently deleted.
In the case of Defender and Defender for Endpoint, Yair noticed that Defender didn't delete files, but folders. Microsoft listed the vulnerability ID as “CVE-2022-37971” and patched the vulnerability in the latest version 1.1.19700.2 of the Microsoft Malware Protection Engine.
Meanwhile, TrendMicro, Avast and AVG also launched updates for their products:
TrendMicro Apex One: Hotfix 23573 & Patch_b11136
Avast & AVG Antivirus: 22.10
More details about Akido Wiper and the exploit can be found on SafeBreach's official website here. The Akido Wiper POC was introduced recently congress security Black Hat Europe 2022. This is how you can find more information here.
