Jump to content
Login new information ×
Login new information
Donations campaign phase one 2024

Google Researcher finds top Antivirus provider, ESET Antivirus plagued with flaws ‘Trivial’ to find

Batu69

By Batu69
in Security & Privacy News

Recommended Posts

Batu69

Batu69

Posted
Posted

eset-robot-e1435163913880.jpg

Fresh leaks from Edward Snowden earlier this week showed how the National Security Agency (NSA) aimed foreign antivirus firms for snooping. That the intelligence agencies were interested in exploiting antivirus does not come as a surprise because almost all files across operating systems from Windows to Macs can be accessed by the security software.

According to Forbes, the antivirus companies said that since they were used to be being attacked, the findings did not really surprise them. They stated that they were absolutely cautious in making secure code.

Tavis Ormandy, a Google researcher and a member of the elite Project Zero hacker team who just a few days into the research asserted that it is not very hard to find serious problems in any antivirus software. True to his word, he discovered worrisome flaws in ESET antivirus, one of the security companies targeted by NSA and GCHQ as per the Snowden leaks.

Ormandy targeted some specific abilities in ESET that are found across antivirus products. In particular, he went after the emulator, which allows unchecked code, like programs that unpack compressed files (i.e. .zip files), to run in a segmented, separated environment.

Ormandy found that the emulator in ESET was not well isolated and could be “trivially compromised” to run malicious code within the virtual environment, which he could then escape to exploit the wider system. He found it was possible to carry out a remote exploit for an ESET vulnerability with potentially disastrous outcomes for all ESET AV customers including the business ones.

The susceptible code is shared by all currently supported versions and editions of ESET, which includes Windows software, Business editions an Mac OS X versions. ESET has come up with an update that should lessen the gravity of any attacks, which is now likely to happen as Ormandy has released exploit code.

Ormandy was vocal about the impact about his findings,“Any network connected computer running ESET can be completely compromised. A complete compromise would allow reading, modifying or deleting any files on the system regardless of access rights; installing any program or rootkit; accessing hardware such as camera, microphones or scanners; logging all system activity such as keystrokes or network traffic; and so on,” he stated.

“Because there is zero user-interaction required, this vulnerability is a perfect candidate for a worm. Corporate deployments of ESET products are conducive to rapid self-propagation, quickly rendering an entire fleet compromised. All business data, PII, trade secrets, backups and financial documents can be stolen or destroyed.”

He pointed out that as the activity would views as to be normal by the AV software and hence there would be no proof of a breach. The magnitude of such an exploit being in the hands of cyber criminals can be gauged from the fact that the AV software scans most of the system files.

Ormandy stated that an attacker could also put the exploit onto a USB drive for quicker deployment. As soon as the device was plugged in, the code would run and the exploit would launch on its own without showing any signal of what was happening. Ormandy said that Email would provide another good way in, as a MIME attachment running in Apple Mail app or Microsofts Outlook would launch the exploit without any user interaction at all.

ESET has not yet commented on the vulnerability in its software.

News source

Link to comment
Share on other sites
  • Replies 3
  • Views 1.6k
  • Created
  • Last Reply
steven36

steven36

Posted
Posted

Thing is I knew people who ran ESET as far back as v2 2007 -2015 and this Exploit never was in the wild. No one never shared with me they was attacked.. No one even knew about it tell the Google devopler discovered it in a VM .

Ormandy suggested an attacker could load the exploit onto a USB drive. The code would run as soon as the device was plugged in and the exploit automatically launched without any indication of what was happening. Email would provide another good way in, as a MIME attachment running in Apple AAPL +0.91%’s Mail app or Microsoft MSFT -0.6%’s Outlook would launch the exploit without any user interaction whatsoever.

ESET has pushed out an update that should mitigate any attacks, which are now far likelier as Ormandy has released exploit code.

 http://www.forbes.com/sites/thomasbrewster/2015/06/24/google-eset-antivirus-hack-easy/?ss=Security

And it most likely will never happen because ESET patched this almost 3 days ago :lol:

Update 11824 2015-06-22
A security vulnerability has been fixed in the scanning engine which was reported to us by Tavis Ormandy of Google Project Zero.

http://www.virusradar.com/en/update/info/11824

And he didn't post exploit tell after it was patched. 

http://googleprojectzero.blogspot.com/2015_06_01_archive.html

And if you ever could of caught it on windows before being made public... it was most likely from letting outlook check emails from people you dont know or someone plugged it in too you're USB .Something I dont do or allow . Do you use outlook still ? :P

Link to comment
Share on other sites
steven36

steven36

Posted
Posted

this is what a Global Digital PR working for Eset said about it.

Hey guys!

I am working in ESET as a Global Digital PR. Just to note that this vulnerability didn’t affect the core emulation engine and we already released an update over the weekend.

You can find more detailed information in our blog: http://www.eset.com/int/about/press/eset-blog/article/eset-vulnerability-fixed/

Thanks! Just for the record: it was reported after-hours on a Friday, and fixed on Monday.

https://www.reddit.com/r/netsec/comments/3avp8o/analysis_and_exploitation_of_an_eset_vulnerability/
The blog post at Eset says .

On 22nd June 2015, ESET released an update that fixes a vulnerability in scanning engine related to code emulation. The discovery was made by Google’s Project Zero team and published on 23rd June 2015.

The vulnerability was found in the emulation routine used in a particular scanner for a specific malware family.

It didn’t affect the core emulation engine.

ESET reacted immediately and released the update over the weekend, in just three days of the Google’s standard 90-day disclosure period.

ESET continually performs code refactoring in order to improve efficiency and quality of products. As a result,

this vulnerability was already not present in ESET’s pre-release engine. Pre-release updates give access to the most recent detection methods and fixes and are available to everybody. In order to achieve maximum reliability, ESET uses specialized tools, runs multiple code reviews and gradually deploys mitigations to make the code more robust.

ESET is a global company with research facilities around the world. Protecting customers is always the first priority.

http://www.eset.com/int/about/press/eset-blog/article/eset-vulnerability-fixed/
It takes windows and mac months to fix exploits they fixed it a few days latter as soon as they got back from the weekend you can go to prerelease updates and get the new engine if you dont think the update was enough and you're worried. . :)

And this what ESET Moderators say about NSA attacks

There have been recent news reports that US and British intelligence agencies have probed anti-malware vendor software for vulnerabilities in an effort to improve their own surveillance efforts. All of us in the information security industry stand together against any efforts designed to weaken our security products. For more information on ESET’s stance see our statement regarding the detection of government malware here: (http://www.welivesec...rnment-malware/).

ESET is a global company with research facilities around the world. Protecting our customers, our products and our systems against intrusions of any kind, no matter the source is always our first priority. In connection to these reports, we have inspected our systems and found no indicators of compromise.

https://forum.eset.com/topic/5218-nsa-gchq-attacks/
Link to comment
Share on other sites
Holmes

Holmes

Posted
Posted

Thing is I knew people who ran ESET as far back as v2 2007 -2015 and this Exploit never was in the wild. No one never shared with me they was attacked.. No one even knew about it tell the Google devopler discovered it in a VM .

Ormandy suggested an attacker could load the exploit onto a USB drive. The code would run as soon as the device was plugged in and the exploit automatically launched without any indication of what was happening. Email would provide another good way in, as a MIME attachment running in Apple AAPL +0.91%’s Mail app or Microsoft MSFT -0.6%’s Outlook would launch the exploit without any user interaction whatsoever.

ESET has pushed out an update that should mitigate any attacks, which are now far likelier as Ormandy has released exploit code.

 http://www.forbes.com/sites/thomasbrewster/2015/06/24/google-eset-antivirus-hack-easy/?ss=Security

And it most likely will never happen because ESET patched this almost 3 days ago :lol:

Update 11824 2015-06-22

A security vulnerability has been fixed in the scanning engine which was reported to us by Tavis Ormandy of Google Project Zero.

http://www.virusradar.com/en/update/info/11824

And he didn't post exploit tell after it was patched. 

http://googleprojectzero.blogspot.com/2015_06_01_archive.html

And if you ever could of caught it on windows before being made public... it was most likely from letting outlook check emails from people you dont know or someone plugged it in too you're USB .Something I dont do or allow . Do you use outlook still ? :P

I have accidentally opened outlook express about a dozen times but I dont have a e-mail with outlook never wanted one. I have a gmail email address associated with my microsoft account and skype login I dont have a msn or anything. I never got interested in them I dont know why and I used to use eset back in version seven I stopped using it and I decided to use it again because I wanted to know how good the advanced memory scanner is (I wanted to find out from my own experience not from someone else.

Avast antivirus has this code emulation feature to its an option you can check in avast called code emulation. I dont know how good it is never tested it now I want to and I want to test esets with the new patch..

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...