ESET software allows Mac remote code execution attacks

The flaw can be exploited to push root code execution through MiTM attacks.


Researchers have discovered a bug in ESET Endpoint Antivirus software which can be exploited to perform remote execution attacks through the root of Apple Mac systems.

This week, a security advisory published by Google Security Team's Jason Geffner and Jan Bee revealed that ESET Endpoint Antivirus software 6 contained a critical security flaw, CVE-2016-9892, which permits attackers to attack Mac systems running the vulnerable software.

If exploited, the bug allows cyberattackers to execute code as root, of which the possibilities for damage are endless.

The problem lies within an outdated XML parsing library utilized by the software which does not perform proper server authentication checks. The esets_daemon service, which runs as root, is linked to a legacy version of the POCO XML parser library.

The library version is based on Expat 2.0.1, released in 2007, which contains a public XML parsing vulnerability -- CVE-2016-0718 -- that allows the execution of malicious code through malformed XML content.

When ESET Endpoint Antivirus attempts to activate its license on a PC, esets_daemon sends a request which is not validated by the web server's certificate, which means attackers can launch a man-in-the-middle (MiTM) attack to intercept the request.

Should this prove to be successful, they can issue a self-signed HTTPS certificate, then parsed as an XML document by the service. This, in turn, gives attackers the opportunity to push through malformed content and exploit the security flaw.

Geffner and Bee provided proof of concept (PoC) instructions in the security advisory.

After the Google Security Team's discovery in November last year, Geffner and Bee reported the problem to ESET. The security firm provided Google with a patched build to check in February this year and after confirmation that the software was no longer vulnerable released a patched version to the public, version

Users of ESET Endpoint Antivirus software 6 should immediately make sure their software is up-to-date to protect themselves against the exploit.

An ESET spokesperson told ZDNet:

"Recently, The Google Security Team discovered vulnerabilities in ESET's consumer and business products for macOS that under some circumstances could allow a user's machine to be compromised. All of the details are available in our support site.

Working together with The Google Security Team, we issued updates on February 13th and 14th that corrected the issues before the vulnerability became public. All users with the latest version of ESET products are not vulnerable to these issues.

To our knowledge, no users have reported any incidents around the discoveries."

How IBM turned Watson into a cybersecurity-expert-as-a-service:

Video: How IBM turned Watson into a cybersecurity-expert-as-a-service