[CA6071] Mitigations for vulnerabilities in ESET’s EXE installers

Summary

ESET Customer Advisory 2016-0001
February 19th, 2016
Severity: Critical

ESET has implemented countermeasures to prevent DLL Search Order attacks against the EXE installers for multiple Windows products, the list can be found in the Affected Programs and Versions section below.

Before the implementation of these countermeasures, ESET installers could have been vulnerable to DLL preloading using elevated privileges obtained by leveraging this DLL Search Order vulnerability. This could have been achieved by placing a specially-crafted DLL file in the same folder as the installer prior to installation. While this may seem like an unlikely scenario, installers are commonly run from the “downloads” folder used by the web browser, which could contain DLL files downloaded by the user.

ESET is not aware of this flaw being actively exploited in the wild.

The mitigations in these hotfixes will be replaced by more comprehensive solutions soon.

Customer Advisory

Solution

If you already have an affected ESET product installed, you do not need to take any action to address this issue. However, if you plan to install, reinstall or upgrade your ESET product using an EXE file installation package, please download the most up-to-date version from the ESET website before proceeding. If you cannot download the new EXE file, move your existing EXE installer to a newly-created (empty) folder and run it from there.

Affected Programs and Versions

  • ESET Smart Security Live Installer 9.0.19.0 and earlier
  • ESET NOD32 Antivirus Live Installer 9.0.19.0 and earlier
  • ESET Smart Security Offline Installer 9.0.349.13 and prior (9.0.351.2 and earlier for Slovak and Czech localizations, and 9.0.349.6 and earlier for Polish localization)
  • ESET NOD32 Antivirus Offline Installer 9.0.349.13 and prior (9.0.351.2 and earlier for Slovak and Czech localizations, and 9.0.349.6 and prior for Polish localization)
  • ESET AV Remover 1.1.3.0 and prior
  • ESET Endpoint Security with AV Remover 6.3.2016.0 dated November 27, 2015
  • ESET Endpoint Antivirus with AV Remover 6.3.2016.0 dated November 27, 2015

Details

ESET’s EXE installer files may use dynamically linked libraries (DLL files), just like any other EXE files. DLL files are loaded by the executable itself or by the operating system, from the first location in which they are found during a sequential search of the DLL Search Order. The default DLL Search Order begins with the folder where the current program is located. Thus, if customers download an EXE installer file to their downloads folder and an attacker has managed to place a suitably-named malicious DLL file in that folder prior to the installer being executed, the attacker’s DLL will be found first and loaded. This DLL could then compromise the victim’s system. You can read Microsoft’s detailed explanation of DLL Search Order here.

On December 21, 2015, a security researcher described this vulnerability in some of our products; we learned of this later that day. On December 30, 2015, ESET completed preparation and testing of a hotfix for this issue. The next day, fixed versions of the installation packages for ESET Smart Security and ESET NOD32 Antivirus in English, Slovak, Czech and Polish localizations were released, and on January 13, 2016 updates for all remaining localizations were released. An update was released for ESET AV Remover 1.1.4.0 on January 21, 2016. Updates for ESET Endpoint Security with AV Remover 6.3.2016.0 and ESET Endpoint Antivirus with AV Remover 6.3.2016.0 were released on February 15, 2016. Please note that these last two updates ship with the same product version as their previous, unfixed release builds.

ESET prefers EXE installers for usability reasons. Windows’ native MSI installers do not permit the flexibility to perform all of the possibly required actions (for example, checking to see if a newer version of the software is available before continuing installation, uninstalling previously-installed security software, and so forth). Despite this, ESET’s EXE file installers use MSI installation procedures in the background to ensure compliance with Microsoft’s software installation guidelines.

Installation packages with even more robust solutions for the reported issues will be released soon, to cover more possible attack scenarios on more target operating systems.

Acknowledgement

ESET thanks independent security researcher Stefan Kanthak, who found and reported this issue.

Feedback & Support

If you have feedback or questions about these updates, please contact us using the ESET Security Forum, or via local ESET Support.

Reporting security vulnerabilities to ESET

ESET welcomes reports of security vulnerabilities in its products. See http://www.eset.com/int/security-vulnerability-reporting/

Version Log

  • Version 1.0 (February 19, 2016): First version