Bitdefender Anti-Virus: Heap Buffer Overflow via 7z LZMA

With most types of software, if you&#x27;re stuck with C&#x2F;C++, you want to keep the development to a high standard where there aren&#x27;t any bugs like this. But anti-virus software is unusual in that it needs to handle malicious input of an unusually wide variety of file formats, which makes completely eliminating file-format vulnerabilities basically unfeasible without some sort of broadly-applicable fix.<p>That fix could be a memory-safe language, or it could be sandboxing. But the assumption should be that for any antivirus product which does its file-parsing in C or C++, and which doesn&#x27;t sandbox is scanning engine, there&#x27;s going to be at least one critical vulnerability in the scanner. Bitdefender is still unsandboxed, so fixing this particular vulnerability is only of limited use; there are almost certainly other, similar vulnerabilities in it, so users running it are vulnerable to anyone with the resources to find one.<p>AV companies have mostly gotten away with this sort of thing in the past, because individual AV scanners tend to have low enough market share that they aren&#x27;t as desirable targets as web browsers. But Windows Defender recently broke that trend by being present on every Windows system, and having a critical vulnerability, so now there are a lot more researchers looking at unsandboxed AV scanning engines and finding problems.

&gt; Moreover, the engine runs unsandboxed and as NT Authority\SYSTEM.<p>Is there an antivirus that _doesn&#x27;t_ parse untrusted input in a process with full system privileges? What a joke.

&quot;Assuming that the size is not explicitly casted, the compiler should throw a warning of the following kind:&quot;<p>In D, implicit truncation of an integer value is an error, not a warning.<p>I&#x27;ve predicted before that lack of memory safety will be the demise of C in internet-facing programs. Dealing with the bugs is just too expensive.

<i>&quot;Note also that Bitdefender’s engine is licensed to many different anti-virus vendors, all of which could be affected by this bug.&quot;</i>

Might we agree to recommend to Microsoft users that they should use Microsoft AV. About 6 months ago we had a similar discussion [0] which arrived at that conclusion.<p>[0] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13489100" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13489100</a>

&gt; I want to thank Bitdefender and especially Marius for their response as well as for fixing the bug.<p>I don&#x27;t see an update for the mac version.

Bitdefender has problems with HTTP comet stream. Stop buying it so the company can go bankrupt.