Like any other software, security software is sure to have some vulnerabilities that can be exploited by attackers.
The latest in a long list of examples that prove this fact is the recently revealed remote code execution flaw affecting all but the latest version of ESET Endpoint Antivirus 6 for macOS.
Discovered and reported by Jason Geffner and Jan Bee of the Google Security Team, the vulnerability (CVE-2016-9892) is present because the esets_daemon service is statically linked with an outdated version of the POCO XML parser library.
“This version of POCO is based on Expat (http://expat.sourceforge.net/) version 2.0.1 from 2007-06-05, which has a publicly known XML parsing vulnerability (CVE-2016-0718) that allows for arbitrary code execution via malformed XML content,” the researchers explained.
“When ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a request to https://edf.eset.com/edf. The esets_daemon service does not validate the web server’s certificate, so a man-in-the-middle can intercept the request and respond using a self-signed HTTPS certificate. The esets_daemon service parses the response as an XML document, thereby allowing the attacker to supply malformed content and exploit CVE-2016-0718 to achieve arbitrary code execution as root.”
ESET has already fixed the flaw by upgrading the POCO parsing library to the latest build and by making the software verify the ESET licensing web server’s SSL certificate on all supported OS X/macOS.
So, if you’re a user of the software, make sure you upgrade to the latest version (126.96.36.199), as the researchers have also released proof-of-concept code (luckily, just to show how the software can be crashed).
Google researchers have been analyzing security software for vulnerabilities for a few years now. The company’s Project Zero team, which aims to improve the security of any software that has a large user-base, has unearthed serious vulnerabilities in Kaspersky and FireEye products, Trend Micro and Comodo security software, the consumer version of Malwarebytes Anti-Malware, Symantec’s anti-virus engine, and others.