Google Researcher finds top Antivirus provider, ESET Antivirus plagued with flaws ‘Trivial’ to find

Status
Not open for further replies.

Petrovic

Level 64
Thread author
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,354
Google Researcher Exposes ‘Trivially compromised’ critical flaw in ESET’s Antivirus
Fresh leaks from Edward Snowden earlier this week showed how the National Security Agency (NSA) aimed foreign antivirus firms for snooping. That the intelligence agencies were interested in exploiting antivirus does not come as a surprise because almost all files across operating systems from Windows to Macs can be accessed by the security software.

According to Forbes, the antivirus companies said that since they were used to be being attacked, the findings did not really surprise them. They stated that they were absolutely cautious in making secure code.

Tavis Ormandy, a Google researcher and a member of the elite Project Zero hacker team who just a few days into the research asserted that it is not very hard to find serious problems in any antivirus software. True to his word, he discovered worrisome flaws in ESET antivirus, one of the security companies targeted by NSA and GCHQ as per the Snowden leaks.

Ormandy targeted some specific abilities in ESET that are found across antivirus products. In particular, he went after the emulator, which allows unchecked code, like programs that unpack compressed files (i.e. .zip files), to run in a segmented, separated environment.

Ormandy found that the emulator in ESET was not well isolated and could be “trivially compromised” to run malicious code within the virtual environment, which he could then escape to exploit the wider system. He found it was possible to carry out a remote exploit for an ESET vulnerability with potentially disastrous outcomes for all ESET AV customers including the business ones.

The susceptible code is shared by all currently supported versions and editions of ESET, which includes Windows software, Business editions an Mac OS X versions. ESET has come up with an update that should lessen the gravity of any attacks, which is now likely to happen as Ormandy has released exploit code.

Ormandy was vocal about the impact about his findings,“Any network connected computer running ESET can be completely compromised. A complete compromise would allow reading, modifying or deleting any files on the system regardless of access rights; installing any program or rootkit; accessing hardware such as camera, microphones or scanners; logging all system activity such as keystrokes or network traffic; and so on,” he stated.

“Because there is zero user-interaction required, this vulnerability is a perfect candidate for a worm. Corporate deployments of ESET products are conducive to rapid self-propagation, quickly rendering an entire fleet compromised. All business data, PII, trade secrets, backups and financial documents can be stolen or destroyed.”

He pointed out that as the activity would views as to be normal by the AV software and hence there would be no proof of a breach. The magnitude of such an exploit being in the hands of cyber criminals can be gauged from the fact that the AV software scans most of the system files.

Ormandy stated that an attacker could also put the exploit onto a USB drive for quicker deployment. As soon as the device was plugged in, the code would run and the exploit would launch on its own without showing any signal of what was happening. Ormandy said that Email would provide another good way in, as a MIME attachment running in Apple Mail app or Microsofts Outlook would launch the exploit without any user interaction at all.

ESET has not yet commented on the vulnerability in its software.
 

comfortablynumb15

Level 7
Verified
May 11, 2015
326
I'm pretty certain you're bound to find lots of this in the majority of these programs. It's rough to think that your trusted security isn't so trustworthy, but you shouldn't really be putting too much trust in them to begin with.
 
H

hjlbx

It's too bad high-level pen-testing of AVs is not routine practice. If that were indeed the case, then it would paint a rather grim picture of all AV products.

I'm sure of it...they're all full of "holes" - like Swiss cheese.

Instead, were stuck with low-end pen-testing and bug reports by users - which - is better than nothing, I suppose...
 

Nikos751

Level 20
Verified
Malware Tester
Feb 1, 2013
969
Interesting article. I wonder if AV's not used that widely, have a chance of protecting your PC better due to limited attention coming from the malware writers..
 

Petrovic

Level 64
Thread author
Verified
Honorary Member
Top Poster
Well-known
Apr 25, 2013
5,354
ESET released an update signature (11824) on June 22nd, which updated the scanning engine. This update has patched the loophole reported by Google.

Hover your mouse cursor over the ESET icon in the system tray, it will display a small pop-up. The second line of the pop-up message displays the “Virus Signature Database”, next to which you will find the signature number. If your computer is connected to the internet, ESET’s database should automatically be updated, and will display a signature number more recent than 11824.
 

Cch123

Level 7
Verified
May 6, 2014
335
That's why I like to stick to well known security solutions (e.g. those from Symantec, McAfee, Sophos, Trend Micro and Kaspersky). At least for their Enterprise solutions, they are very commonly tested by vulnerability research teams. Big MNCs would hire vuln research companies to audit their EP products, and that is not to include their own internal security teams. Also, their source codes are sometimes audited by governments.
 
  • Like
Reactions: sunil22

sunil22

Level 1
Verified
Oct 4, 2013
35
All truths are easy to understand once they are discovered, the point is to discover them:rolleyes:. good post:)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top