The vulnerability, which affects every ESET AV product, is “trivial” to exploit and allows attackers to “completely compromise” any network-connected computer running ESET anti-virus, said Ormandy in a 23 June blog.
The problem is in ESET's emulator, which checks suspected malware in a supposedly safe environment.
“Because it's so easy for attackers to trigger emulation of untrusted code, it's critically important that the emulator is robust and isolated,” Ormandy said. “Unfortunately, analysis of ESET emulation reveals that is not the case and it can be trivially compromised.”
He told ESET about the problem last Thursday. They worked on a fix over the weekend and released it on Monday. Users are being urged to update their products.
The problem comes in the wake of reports that the UK's GCHQ intelligence agency has been targeting flaws in AV systems to infiltrate networks.
Ormandy emphasised: “This is not a theoretical risk, recent evidence suggests a growing interest in anti-virus products from advanced attackers.”
In his blog, he provides this video showing how an attacker can take over a system by hiding their own malicious script in a standard version of ESET's NOD32 Business Edition AV software.
But Ormandy says there are hundreds of other possible exploitation scenarios, and that critically “there would be zero indication of compromise”.
He explained: “Any network-connected computer running ESET can be completely compromised. This would allow reading, modifying or deleting any files on the system regardless of access rights; installing any program or rootkit; accessing hardware such as camera, microphones or scanners; logging all system activity such as keystrokes or network traffic; and so on.
“There would be zero indication of compromise, as disk I/O is a normal part of the operation of a system. Because there is zero user-interaction required, this vulnerability is a perfect candidate for a worm. Corporate deployments of ESET products are conducive to rapid self-propagation, quickly rendering an entire fleet compromised. All business data, PII, trade secrets, backups and financial documents can be stolen or destroyed.
“These scenarios are possible because of how privileged the scan process is.”
He says Windows, Mac and Linux system are all equally vulnerable.
In a statement to journalists, ESET emphasised how quickly it had acted to fix the flaw.
“The vulnerability was found in the emulation routine used in a particular scanner for a specific malware family. It didn't affect the core emulation engine. ESET reacted immediately and released the update over the weekend, in just three days of Google's standard 90-day disclosure period,” the company said.
It added: “ESET continually performs code re-factoring to improve efficiency and quality of products. As a result, this vulnerability was already not present in ESET's pre-release engine. Pre-release updates give access to the most recent detection methods and fixes and are available to everybody.”
The flaw is the latest in a series of problems discovered in AV products.
A year ago, Ormandy himself found a serious bug in Microsoft's Malware Protection Engine product.
Shortly after, Joxean Koret, a researcher with Singapore-based security firm COSEINC, said he had found exploitable vulnerabilities in 14 AV products, including Bitdefender, Kaspersky, ESET, Sophos and Avast.
Earlier this year, AV supplier Kaspersky revealed it had been targeted by the Duqu 2.0 nation-state malware, and earlier this week ‘The Intercept' confirmed, based on Snowden documents, that GCHQ has been reverse engineering anti-virus software to identify exploitable vulnerabilities since 2008 or earlier.
This raises the question of how far AV security products are protecting users, or leaving them damagingly open to attack.
Bob Tarzey, director of security research firm Quocirca Ltd, said the issue was an embarrassment for ESET.
“As a security software vendor, to have your reputation damaged through an exploitable software vulnerability is not good news,” he told SCMagazineUK.com.
“All software contains vulnerabilities. But people who are delivering security software can expect to be held to a higher standard. There's no real excuses. If you're going to be delivering something to somebody's desktop and say this makes you more secure, and that product leads to insecurity, then you're going to have egg on your face.”
Author David Lacey, an expert in advanced malware attacks, said the continuing problems show users should stop relying on single AV products.
He told SCMagazineUK.com: “Increasingly AV products don't work so well. There are just so many new kinds of signatures you want to track and limited resource in updating these systems, so they're going to become increasingly less reliable. So you shouldn't rely on something like a signature-based scanning system, they have their limitations.
“All security products are a magnet, a target for any attackers, whether they're firewalls, anti-virus, whatever. If I was attacking someone I'd want to penetrate security products, I'd want to use the privileged access they have. I think increasingly as people become aware of this risk, they need to start thinking about using more than one product or if they've got something really sensitive like personnel or vetting records then shouldn't keep them online, at all.”
ESET CTO, Juraj Malcho, said in statement issued earlier this week: "US and British intelligence agencies have probed anti-malware vendor software for vulnerabilities in an effort to improve their own surveillance efforts.
“All of us in the information security industry stand together against efforts designed to weaken our security products. ESET's systems have been inspected in connection to this case and no indicators of compromise were found."