The vulnerability, which affects every ESET AV product, is “trivial” to exploit and allows attackers to “completely compromise” any network-connected computer running ESET anti-virus, said Ormandy in a 23 June blog.
The problem is in ESET's emulator, which checks suspected malware in a supposedly safe environment.
“Because it's so easy for attackers to trigger emulation of untrusted code, it's critically important that the emulator is robust and isolated,” Ormandy said. “Unfortunately, analysis of ESET emulation reveals that is not the case and it can be trivially compromised.”
He told ESET about the problem last Thursday. They worked on a fix over the weekend and released it on Monday. Users are being urged to update their products.
The problem comes in the wake of reports that the UK's GCHQ intelligence agency has been targeting flaws in AV systems to infiltrate networks.
Ormandy emphasised: “This is not a theoretical risk, recent evidence suggests a growing interest in anti-virus products from advanced attackers.”
In his blog, he provides this video showing how an attacker can take over a system by hiding their own malicious script in a standard version of ESET's NOD32 Business Edition AV software.
But Ormandy says there are hundreds of other possible exploitation scenarios, and that critically “there would be zero indication of compromise”.
He explained: “Any network-connected computer running ESET can be completely compromised. This would allow reading, modifying or deleting any files on the system regardless of access rights; installing any program or rootkit; accessing hardware such as camera, microphones or scanners; logging all system activity such as keystrokes or network traffic; and so on.
“There would be zero indication of compromise, as disk I/O is a normal part of the operation of a system. Because there is zero user-interaction required, this vulnerability is a perfect candidate for a worm. Corporate deployments of ESET products are conducive to rapid self-propagation, quickly rendering an entire fleet compromised. All business data, PII, trade secrets, backups and financial documents can be stolen or destroyed.
“These scenarios are possible because of how privileged the scan process is.”
He says Windows, Mac and Linux system are all equally vulnerable.
In a statement to journalists, ESET emphasised how quickly it had acted to fix the flaw.