Google Researcher Exposes ‘Trivially compromised’ critical flaw in ESET’s Antivirus
Fresh leaks from Edward Snowden earlier this week showed how the National Security Agency (NSA) aimed foreign antivirus firms for snooping. That the intelligence agencies were interested in exploiting antivirus does not come as a surprise because almost all files across operating systems from Windows to Macs can be accessed by the security software.
According to Forbes, the antivirus companies said that since they were used to be being attacked, the findings did not really surprise them. They stated that they were absolutely cautious in making secure code.
Tavis Ormandy, a Google researcher and a member of the elite Project Zero hacker team who just a few days into the research asserted that it is not very hard to find serious problems in any antivirus software. True to his word, he discovered worrisome flaws in ESET antivirus, one of the security companies targeted by NSA and GCHQ as per the Snowden leaks.
Ormandy targeted some specific abilities in ESET that are found across antivirus products. In particular, he went after the emulator, which allows unchecked code, like programs that unpack compressed files (i.e. .zip files), to run in a segmented, separated environment.
Ormandy found that the emulator in ESET was not well isolated and could be “trivially compromised” to run malicious code within the virtual environment, which he could then escape to exploit the wider system. He found it was possible to carry out a remote exploit for an ESET vulnerability with potentially disastrous outcomes for all ESET AV customers including the business ones.
The susceptible code is shared by all currently supported versions and editions of ESET, which includes Windows software, Business editions an Mac OS X versions. ESET has come up with an update that should lessen the gravity of any attacks, which is now likely to happen as Ormandy has released exploit code.
Ormandy was vocal about the impact about his findings,“Any network connected computer running ESET can be completely compromised. A complete compromise would allow reading, modifying or deleting any files on the system regardless of access rights; installing any program or rootkit; accessing hardware such as camera, microphones or scanners; logging all system activity such as keystrokes or network traffic; and so on,” he stated.
“Because there is zero user-interaction required, this vulnerability is a perfect candidate for a worm. Corporate deployments of ESET products are conducive to rapid self-propagation, quickly rendering an entire fleet compromised. All business data, PII, trade secrets, backups and financial documents can be stolen or destroyed.”
He pointed out that as the activity would views as to be normal by the AV software and hence there would be no proof of a breach. The magnitude of such an exploit being in the hands of cyber criminals can be gauged from the fact that the AV software scans most of the system files.
Ormandy stated that an attacker could also put the exploit onto a USB drive for quicker deployment. As soon as the device was plugged in, the code would run and the exploit would launch on its own without showing any signal of what was happening. Ormandy said that Email would provide another good way in, as a MIME attachment running in Apple Mail app or Microsofts Outlook would launch the exploit without any user interaction at all.
ESET has not yet commented on the vulnerability in its software.