Vulnerabilities in scanning and emulation repaired
ESET Customer Advisory 2015-0002
July 10th, 2015
ESET has distributed fixes for vulnerabilities that the Google Project Zero team reported in the scanning and emulation routines of several ESET products. Fixes for all reported issues were distributed in regular in-product updates, which are automatically downloaded by ESET products with a working internet connection and valid license.
Fixes for all of the issues reported have been made available through regular in-product updates which are automatically downloaded by ESET products. The following updates and module versions resolve the issues mentioned in this advisory:
- Virus signature database 12157 and later
- Archive support module 1232 and later (distributed with virus signature database 11884)
- Advanced heuristics module 1160 and later (distributed with virus signature database 12167)
To ensure that you are not exposed to these issues: Make sure that clients on your network or personal computers are using virus signature database 11905 or later to resolve all issues reported. Visit the appropriate Knowledgebase article below to check which virus signature database version is in use on your network or personal computer:
- Business users with ESET Remote Administrator 6.x/ version 6 endpoint products
- Business users with ESET Remote Administrator 5.x/ version 5 endpoint products
- Home users
On June 19th, 2015, ESET received a report detailing a vulnerability that could be exploited to perform a code execution attack with system privileges. The vulnerability was found in the emulation routine used in a particular scanner for a specific malware family. A fix was made available on June 22nd, 2015.
On June 26th, 2015, a second report was received. This report involved a vulnerability in a product module used to examine a specific archive type. The issue could cause the ESET service to stop and could be exploited to perform a code execution attack with escalated privileges. A fix for this issue was released on June 29th, 2015.
From June 30th to July 6th we received a few more reports, three of which were confirmed to affect our then current products. These issues could cause scanning routines to malfunction and potentially stop the ESET service (the service restarts automatically when stopped in this way). All issues have been resolved in updates distributed in regular in-product updates.
On July 14 we received 3 reports of issues that could cause scanning routines to malfunction and potentially stop the ESET service (the service restarts automatically when stopped this way).
One of the issues was already fixed, second one was fixed on the following day and the last one two days after the report.
On July 15 we received another report regarding a vulnerability which could be theoretically exploited to perform a code execution attack. ESET prepared a fix on the following day and started to distribute it to all users two days after the report in Advanced heuristics module 1157 and later.
On July 25 and 26 we received 2 additional reports which could cause remote code execution and ESET service restart respectively. The first one was fixed internally on the following day and the fix was distributed to the users two days later with Advanced heuristics module 1160 and later. The second issue was fixed on the same day as it was reported and the fix was also distributed publicly the very same day with Virus signature database update 12157 and later.
Affected Programs and Versions
- ESET Endpoint Security & ESET Endpoint Antivirus for Windows and Mac OS X
- ESET NOD32 Antivirus Business Edition for Linux
- ESET Smart Security & ESET NOD32 Antivirus for Windows
- ESET Cyber Security & ESET Cyber Security Pro for Mac OS X
All ESET server products except for ESET Remote Administrator
These issues were reported to ESET by Google Project Zero Team researcher Tavis Ormandy.
- Version 1.4 (October 2nd, 2015): Details section additions
- Version 1.3 (July 17th, 2015): Links to particular Knowledgebase content
- Version 1.2 (July 10th, 2015): Advisory updated with currect information reflecting all current Google reports, with solutions available
- Version 1.1 (July 6th, 2015): Advisory updated with current information from ESET development team
- Version 1.0 (July 3rd, 2015): First version