ESET Antivirus flaw that exposed Mac Users
ESET had released a new campaign that was specifically directed towards MacOS, and the increase in Ransomware. The team wanted more Mac users to start using the ESET antivirus to protect their machines and information against virus and security vulnerabilities.
It is apparently true that most hackers have a day when they can expose vulnerabilities within the software that aspire to protect your machines against attackers. According to Google’s research team’s report, the ESET endpoint antivirus 6 for the MacOS has a vulnerability owing to which attackers can execute an arbitrary code remotely with root privileges.
With this vulnerability, you will find more hackers attacking the root level code remotely, and gaining a lot of execution powers into your information. The hacker can intercept the ESET’s connection to the backend server with self-signed HTTPs certification, which will allow them to in turn exploit the XML library security flaw. On further research, it was established that the problem is in the service named esets_daemon, which actually runs the root for the antivirus. This service is linked to POCO XML parser library statically. This POCO version is based on Expat XML parser library version 2.0.1 which is also known as XML parsing vulnerability, which actually allows the attacker to execute the arbitrary code into the XML content.
How does it work?
When the license of ESET endpoint antivirus is activated, the esets_daemon sends a request to a link https://edf.eset.com/edf. The service, in turn, does not validate the web server’s certification, in which case the man-in-the-middle i.e. the root’s arbitrary code intercept request is accepted and responded to. In this case, it is the self-signed HTTPs certificate, which has been created by the attackers posing vulnerability to the XML library.
When the esets_daemon receives the code, they parse the response for the XML document, which in turn allows the attacker to send malformed content thus exploiting the CVE-2016-0718 and allow the execution of the arbitrary code generated. The attacker gains complete control over the connection and can send malicious content to the root, thus hijacking the XML parser.
As per Google’s reports, this flaw was discovered in November, and the company has worked towards solving it. The new version released on February 21st includes the patches and the complete repair for the vulnerability. This ESET virus issue was the reason for major crashes within the system. The patch is available with the version 188.8.131.52. It is recommended you update the version to save your information from this crash