Old versions of ESET anti-virus for macOS subject to exploit granting root access to assai...

Posted:
in Mac OS X
A newly discovered exploit in an update made to ESET anti-virus package in October 2016 contains an outdated XML parser from 2007 that is vulnerable to attack, allowing root-level code execution, and ultimately a compromised machine.




The outdated XML library included in a recent update to ESET Endpoint Antivirus 6 is subject to a buffer overflow bug, according to Google researchers. Assailants using a man-in-the-middle targeted attack can intercept licensing credential data transfers, allowing for a machine masquerading as the licensing server to pass bogus data.

In this case, a forged HTTPS certificate can be sent, allowing the attacker to control the connection. A follow-up transmission can contain a maliciously crafted XML package, allowing for root-level code execution.

"When ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a request to https://edf.eset.com/edf," reports Google Security Team's Jason Geffner and Jan Bee. "The esets_daemon service does not validate the web server's certificate, so a man-in-the-middle can intercept the request and respond using a self-signed HTTPS certificate. The esets_daemon service parses the response as an XML document, thereby allowing the attacker to supply malformed content."

The flaw was discovered by Google, and reported to ESET in early November 2016. A patch rectifying the problem was supplied to the researchers in early February with a release on Feb. 21.

The attack does not need to be tailored to a specific machine, like other Mac malware packages require. All it demands is the awareness that a target is running the ESET tool, and the means to utilize a "man in the middle" attack, such as a public wi-fi hotspot.

ESET issued a patch for the issue on Feb. 21, prior to the public disclosure of the flaw. Users should ensure that ESET Endpoint Antivirus version 6.4.168.0 is installed, and not any prior version.

Comments

  • Reply 1 of 7
    lkrupplkrupp Posts: 4,726member
    Sorry, never heard of this product.
    lostkiwi
  • Reply 2 of 7
    coolfactorcoolfactor Posts: 1,061member
    lkrupp said:
    Sorry, never heard of this product.

    Same, never heard of it until now.
    lostkiwi
  • Reply 3 of 7
    It's mostly an enterprise product. It has pretty decent penetration.
    lostkiwihelicoil
  • Reply 4 of 7
    john.bjohn.b Posts: 2,690member
    Typical of anti-malware software for the Mac, the "cure" is far more dangerous than the disease. 
    lostkiwi
  • Reply 5 of 7
    Herbivore2Herbivore2 Posts: 299member
    It's mostly an enterprise product. It has pretty decent penetration.
    Mostly an enterprise product. If they have any consumer sales, where are they? I haven't heard of them either. 
  • Reply 6 of 7
    helicoilhelicoil Posts: 27member
    We use at at the office, mac and pc network. We're looking to change to BitDefender as ESET is dog slow on macs (it can add another 20-30 secs to boot time), and this will only hasten our change.
  • Reply 7 of 7
    helicoilhelicoil Posts: 27member
    It's mostly an enterprise product. It has pretty decent penetration.
    Mostly an enterprise product. If they have any consumer sales, where are they? I haven't heard of them either. 
    They were No 2 (or 3) in 2015 for AV (Enterprise). http://www.av-comparatives.org/wp-content/uploads/2015/03/security_survey2015_en.pdf "• Kaspersky Lab and ESET are the two most popular desktop security products worldwide, and feature in the top four products on every continent with significant results."
    edited March 2
Sign In or Register to comment.