An examination of the code emulator in ESET products reveals that it was not strong enough so it could be easily compromised. This in its turn allows an attacker to take total control of a system operating the vulnerable security solution.
Before the user launches executable files and scripts, antivirus products run them through code emulation integrated into the program, then the activity is monitored in the system. The process happens in a private environment so the real system could not be impacted.
Bug Is Running During Routine Scan Routine
The vulnerability in NOD32 Antivirus was discovered by Tavis Ormandy from Google Project Zero. Endvidere, other products like consumer versions for Windows, Linux og OS X, as well as Business editions and Endpoint are affected too.
In the vulnerability report, Ormandy states that ESET NOD32 uses a minifilter or kext to hook up all disk I/O (input/output) information that is analyzed and then emulated if executable code is detected. He also added that many antivirus products have emulation efficiency that is designed for giving permission to unpackers to run a few cycles before signatures are applied.
Untrusted code can pass through the disk when files, images, messages or another kind of data is received as disk operations I/O can be caused in many ways. Derfor, the need for stable and properly isolated code emulator in antivirus product is crucial.
The vulnerability exists in running shadow stack task and activates any time a scanning operation – real-time, scheduled or manual – occurs.
The Attack Is Hardly Noticeable
According to Ormandy, the attack could be completely unnoticeable irrespective of access rights. The vulnerability spreads over all activities as installing programs, logging in system operations and accessing connection.
The user could be endangered without required interaction and is not alerted in any way as I/O tasks represent usual system operations.
The ESET vulnerability was reported on June 18 by Ormandy and four days later the company released an update for the scan engine.