- Jan 24, 2011
- 9,377
An analysis of the code emulator available in ESET products showed that the component was not sufficiently robust and can be easily compromised, allowing an attacker to take complete control of a system running the vulnerable security solution.
Code emulation has been integrated in antivirus products to run executable files and scripts before the user launches them and monitor activity on the system. The process takes place in an isolated environment that should not impact on the real system.
The data collected is supplied to the heuristic analyzer, which decides if the nature of the routines is for malicious or suspicious, followed by the creation of a detection signature.
Glitch triggered during scan routine
Tavis Ormandy from Google Project Zero discovered the vulnerability in NOD32 Antivirus but other products are affected, including consumer versions for Windows, OS X and Linux as well as Endpoint and Business editions.
“Many antivirus products include emulation capabilities that are intended to allow unpackers to run for a few cycles before signatures are applied. ESET NOD32 uses a minifilter or kext [kernel extension] to intercept all disk I/O, which is analyzed and then emulated if executable code is detected,” Ormandy says in the vulnerability report.
Because disk I/O operations can be caused in numerous ways, untrusted code can pass through the disk when messages, files, images or other type of data is received, hence the need of a robust and properly isolated code emulator in antivirus solutions.
The vulnerability touches on managing a shadow stack task and can be triggered whenever a scanning operation (real-time, scheduled or manual) occurs.
Read more: http://news.softpedia.com/news/eset-products-vulnerable-to-remote-root-exploit-485191.shtml