Správy
ESET Customer Advisory 2016-0001
February 19th, 2016
Severity: Critical
Summary
ESET has implemented countermeasures to prevent DLL Search Order attacks against the EXE installers for multiple Windows products, the list can be found in the Affected Programs and Versions section below.
A DLL preloading attack, with elevated privileges obtained by leveraging this DLL Search Order vulnerability, could have been performed. This could have been achieved by placing a specially-crafted DLL file in the same folder as the installer prior to installation. While this may seem like an unlikely scenario, installers are commonly run from the “downloads” folder used by the web browser, which could contain DLL files downloaded by the user.
ESET is not aware of this flaw being actively exploited in the wild.
The mitigations in these hotfixes will be replaced by more comprehensive solutions soon.
Solution
If you already have an affected ESET product installed, you do not need to take any action to address this issue. However, if you plan a new installation, a reinstallation, or an upgrade, by means of an EXE file installation package, please download the most up-to-date version from the ESET website and run that. As an alternative, it is sufficient to move an existing EXE installer to a newly-created (empty) folder and run it from there.
Affected Programs and Versions
- ESET Smart Security Live Installer 9.0.19.0 and prior
- ESET NOD32 Antivirus Live Installer 9.0.19.0 and prior
- ESET Smart Security Offline Installer 9.0.349.13 and prior (9.0.351.2 and prior for Slovak and Czech localizations, and 9.0.349.6 and prior for Polish localization)
- ESET NOD32 Antivirus Offline Installer 9.0.349.13 and prior (9.0.351.2 and lower for Slovak and Czech localizations, and 9.0.349.6 and prior for Polish localization)
- ESET AV Remover 1.1.3.0 and prior
- ESET Endpoint Security with AV Remover 6.3.2016.0 dated November 27, 2015
- ESET Endpoint Antivirus with AV Remover 6.3.2016.0 dated November 27, 2015
Details
ESET’s EXE installer files may use dynamically linked libraries (DLL files), just like any other EXE files. DLL files are loaded, by the executable itself or by the operating system, from the first location in which they are found during a sequential search of the DLL Search Order. The default DLL Search Order begins with the folder where the current program is located. Thus, if customers download an EXE installer file to their downloads folder and an attacker has managed to place a suitably-named malicious DLL file in that folder prior to the installer being executed, the attacker’s DLL will be found first and loaded. This DLL could then compromise the victim’s system. You can read Microsoft’s detailed explanation of DLL Search Order here.
On December 21, 2015, a security researcher described this vulnerability in some of our products; we learned of this later that day. On December 30, 2015, ESET completed preparation and testing of a hotfix for this issue. The next day, fixed versions of the installation packages for ESET Smart Security and ESET NOD32 Antivirus in English, Slovak, Czech and Polish localizations were released, and on January 13, 2016 updates for all remaining localizations were released. An update was released for ESET AV Remover 1.1.4.0 on January 21, 2016. Updates for ESET Endpoint Security with AV Remover 6.3.2016.0 and ESET Endpoint Antivirus with AV Remover 6.3.2016.0 were released on February 15, 2016. Please note that these last two updates ship with the same product version as their previous, unfixed release builds.
ESET prefers EXE installers for usability reasons. Windows’ native MSI installers do not permit the flexibility to perform all of the possibly required actions (for example, checking to see if a newer version of the software is available before continuing installation, uninstalling previously-installed security software, and so forth). Despite this, ESET’s EXE file installers use MSI installation procedures in the background to ensure compliance with Microsoft’s software installation guidelines.
Installation packages with even more robust solutions for the reported issues will be released soon, to cover more possible attack scenarios on more target operating systems.
Acknowledgement
ESET thanks independent security researcher Stefan Kanthak, who found and reported this issue.
Feedback & Support
If you have feedback or questions about these updates, please contact us using the ESET Security Forum, or via local ESET Support.
Reporting security vulnerabilities to ESET
ESET welcomes reports of security vulnerabilities in its products. See http://www.eset.com/int/security-vulnerability-reporting/
Version Log
- Version 1.0 (February 19, 2016): First version
