Or Yair, a security researcher at SafeBreach, published a proof-of-concept (POC) showing how you can trick antiviruses into permanently deleting harmless files on your computer.
POC is called “Aikido” and is inspired by the Japanese martial art used to turn the aggressive movements of opponents against oneself.
Το PoC μας δείχνει χωρίς αμφιβολία ότι το Aikido wiper λειτουργεί. Η Microsoft έχει ήδη αναγνωρίσει το exploit στον Defender και έχει επιδιορθώσει την ευπάθεια.
Όμως υπήρχαν κι άλλοι κατασκευαστές λογισμικού προστασίας όπως οι Avast, AVG και TrendMicro που ήταν ευάλωτοι σε αυτό το exploit. Άλλες δημοφιλείς λύσεις όπως το McAfee και το BitDefender δεν επηρεάζονται.
Here is the full list of tested products.
Yair mentions that Aikido wiper uses a vulnerability called time-of-check to time-of-use (TOCTOU).
It is an anti-virus solution that first detects and identifies a file as malicious and then deletes it.
Aikido using TOCTOU is used to insert an alternate path after malware detection that leads to deletion of normal files instead of malicious ones. Even system files could be permanently deleted.
In the case of Defender and Defender for Endpoint, Yair noticed that Defender didn't delete files, but folders. Microsoft listed the vulnerability ID as “CVE-2022-37971” and patched the vulnerability in the latest version 1.1.19700.2 of the Microsoft Malware Protection Engine.
Meanwhile, TrendMicro, Avast and AVG also released updates to their products:
TrendMicro Apex One: Hotfix 23573 & Patch_b11136
Avast & AVG Antivirus: 22.10
More details about Akido Wiper and the exploit can be found on SafeBreach's official website here. The Akido Wiper POC was presented at the recent security conference Black Hat Europe 2022. So you can find more information here.