Or Yair, a security researcher at SafeBreach, published a proof-of-concept (POC) showing how you can trick antiviruses into permanently deleting harmless files on your computer.
POC is called “Aikido” and is inspired by the Japanese martial art used to turn the aggressive movements of opponents against oneself.
Our PoC shows without a doubt that the Aikido wiper works. Microsoft has already identified the exploit in Defender and patched the vulnerability.
But there were other software manufacturers protections such as Avast, AVG and TrendMicro that were vulnerable to this exploit. Other popular solutions such as McAfee and BitDefender are not affected.
Here is the full list of tested products.
Yair mentions that Aikido wiper uses a vulnerability called time-of-check to time-of-use (TOCTOU).
It is an anti-virus solution that first detects and identifies a file as malicious and then deletes it.
Aikido using TOCTOU is used to insert an alternate path after detecting the malware leading to deletion normal files instead of malicious ones. Even system files could be permanently deleted.
In the case of Defender and Defender for Endpoint, Yair noticed that Defender didn't delete files, but folders. Microsoft listed the vulnerability ID as “CVE-2022-37971” and patched the vulnerability in the latest version 1.1.19700.2 of the Microsoft Malware Protection Engine.
Meanwhile, TrendMicro, Avast and AVG also released updates to their products:
TrendMicro Apex One: Hotfix 23573 & Patch_b11136
Avast & AVG Antivirus: 22.10
More details about Akido Wiper and the exploit can be found on SafeBreach's official website here. The Akido Wiper POC was presented at the recent security conference Black Hat Europe 2022. So you can find more information here.