Critical Local Privilege Escalation in Intego Windows Antivirus (v 3.0.0.1) Enables SYSTEM Takeover
What Happened – Researchers discovered that Intego’s Optimization module runs as SYSTEM and deletes files without validating whether the target is a regular file or a directory junction. By chaining this behavior with the well‑known Config.msi rollback trick, an unprivileged user can gain full SYSTEM privileges on Windows machines running Intego 3.0.0.1.
Why It Matters for TPRM –
- Endpoint‑security products are trusted third‑party controls; a flaw that grants SYSTEM rights undermines the entire security stack.
- Compromise of an antivirus can be leveraged to pivot across the network, exposing downstream vendors and customers.
- The vulnerability is publicly disclosed and exploitable without a patch, raising immediate risk for organizations that have not updated.
Who Is Affected – Enterprises using Intego’s Windows antivirus (version 3.0.0.1) across any industry; especially those that rely on the product as a primary endpoint protection layer.
Recommended Actions –
- Verify whether any assets run Intego 3.0.0.1; inventory and tag them as high‑risk.
- Apply any available patches or upgrade to a newer, patched version immediately.
- If patching is not possible, mitigate by disabling the Optimization module or restricting its execution to privileged accounts.
- Conduct a focused security review of systems where Intego runs with SYSTEM privileges to ensure no post‑compromise artifacts remain.
Technical Notes – The exploit abuses a directory‑junction (symlink) deletion primitive in the Optimization module, combined with the Config.msi rollback mechanism documented by ZDI. No CVE has been assigned yet; the attack vector is a vulnerability exploit that results in a local privilege escalation to SYSTEM. Data types exposed include system binaries and potentially any files the attacker can read/write after privilege gain. Source: Quarkslab Blog