A security researcher working at Google has discovered a critical leak in antivirus software of ESET. Attackers can use the vulnerability to gain remote access to a system. The issue is caused by a bug in a so-called minifilter.
The minifilter, which is part of several ESET software packages including antivirus and security applications, is used to intercept and analyse data that is read and written to a HDD or SSD. If data is executable the code is emulated. This allows the ESET software to check whether the code is safe.
According to Google researcher Tavis Ormandy the minifilter is not secure enough and allows an attacker to execute malicious code on the system by generating read and writes. Because this is hardly noticeable and because it doesn't require any interaction of the user, the system can be silently remotely exploited and taken over.
On Windows systems, attackers can get administrator rights by getting access to the ekrn.exe process. On OS X and Linux systems the ESETS daemon, which has root privileges, can be taken over.
Ormandy argues that he found the leak in only a couple of days and also published the exploit. Slovakia ESET has released patches for the vulnerable software on the 22nd of June.
