Old versions of ESET anti-virus for macOS subject to exploit granting root access to assailant

The outdated XML library included in a recent update to ESET Endpoint Antivirus 6 is subject to a buffer overflow bug, according to Google researchers. Assailants using a man-in-the-middle targeted attack can intercept licensing credential data transfers, allowing for a machine masquerading as the licensing server to pass bogus data.

In this case, a forged HTTPS certificate can be sent, allowing the attacker to control the connection. A follow-up transmission can contain a maliciously crafted XML package, allowing for root-level code execution.

"When ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a request to https://edf.eset.com/edf," reports Google Security Team's Jason Geffner and Jan Bee. "The esets_daemon service does not validate the web server's certificate, so a man-in-the-middle can intercept the request and respond using a self-signed HTTPS certificate. The esets_daemon service parses the response as an XML document, thereby allowing the attacker to supply malformed content."

The flaw was discovered by Google, and reported to ESET in early November 2016. A patch rectifying the problem was supplied to the researchers in early February with a release on Feb. 21.

The attack does not need to be tailored to a specific machine, like other Mac malware packages require. All it demands is the awareness that a target is running the ESET tool, and the means to utilize a "man in the middle" attack, such as a public wi-fi hotspot.

ESET issued a patch for the issue on Feb. 21, prior to the public disclosure of the flaw. Users should ensure that ESET Endpoint Antivirus version 6.4.168.0 is installed, and not any prior version.