ESET Mac antivirus

Mac users utilizing ESET's endpoint antivirus are advised to update to version 6.4.168.0 as soon as possible in order to mitigate a serious issue that allows attackers to execute arbitrary code on their machines.

The issue, discovered by Google security researcher Jason Geffner, was caused by the usage of an old library inside ESET's antivirus source code.

ESET Mac antivirus used vulnerable XML parsing library

Geffner says vulnerable versions of the ESET Mac antivirus used the POCO XML parser library version 1.4.6p1 from 2013-03-06, which in turn was forked from Expat XML parser library version 2.0.1 from 2007-06-05.

Recently, security researchers became aware of a vulnerability (CVE-2016-0718) in the Expat library that allowed for remote code execution via malformed XML content.

This Expat flaw trickled down to the ESET Mac antivirus, where developers had used POCO to parse XML content streams.

Flaw resides in license verification daemon

One of the places where the ESET Mac antivirus interacted with XML streams was its license verification mechanism.

According to Geffner, when an ESET antivirus daemon checks to see if a user has a valid license at startup, an attacker listening to local traffic can pick up the query and respond instead of the ESET servers.

This allows him to send back a malformed XML file back that will then execute malicious code on the user's Mac. This issue is exacerbated because the license verification daemon runs as root, meaning the exploit code will also run as root, with all privileges available to the attacker.

Furthermore, Geffner also points part of the blame on ESET because its antivirus does not verify the HTTPS certificate of the ESET server responsible for the license verification process. This is what allows the attacker to issue a fake response on the server's behalf  in the first place, without the antivirus detecting anything wrong.

Proof-of-concept code available online

Geffner has released proof-of-concept code online that exploits this flaw. The PoC only crashes the ESET Mac antivirus, but more complex exploit code can be built on its structure.

ESET has fixed this flaw, tracked as CVE-2016-9892, with the release of ESET Endpoint Antivirus 6.4.168.0. ESET Mac users are advised to update as soon as possible.

Geffner is the second researcher that has found a severe bug in ESET antivirus products after Tavis Ormandy discovered a similar issue in June 2015.

Google researchers have been very busy lately, discovering issues in Cloudflare's infrastructure and various Microsoft products[1, 2].