High-severity security vulnerabilities have been disclosed in different endpoint detection and response (EDR) and antivirus (AV) products that could be exploited to turn them into data wipers.
“This wiper runs with the permissions of an unprivileged user yet has the ability to wipe almost any file on a system, including system files, and make a computer completely unbootable,” SafeBreach Labs researcher Or Yair said. “It does all that without implementing code that touches the target files, making it fully undetectable.”
EDR software, by design, are capable of continually scanning a machine for potentially suspicious and malicious files, and taking appropriate action, such as deleting or quarantining them.
The idea, in a nutshell, is to trick vulnerable security products into deleting legitimate files and directories on the system and render the machine inoperable by making use of specially crafted paths.
This is achieved by taking advantage of what’s called a junction point (aka soft link), where a directory serves as an alias to another directory on the computer.
images from Hacker News