An analysis of the characteristic code emulator που χρησιμοποιεί στα προϊόντα της ESET (εξομοιωτής κώδικα) έδειξε ότι δεν ήταν αρκετά ισχυρό και ότι μπορεί να παραβιαστεί εύκολα, επιτρέποντας σε έναν εισβολέα να πάρει τον πλήρη έλεγχο ενός συστήματος που τρέχει την ευάλωτη λύση security.
The code emulator is integrated into its anti-virus products companyand allows files or scipts to be executed before the user does it himself. This process happens in an isolated environment and thus cannot affect the real system.
Data collected is provided to the heuristic software analyst, who decides whether their nature is malicious or suspect.
Researcher Tavis Ormandy from Google Project Zero discovered the vulnerability to NOD32 Antivirus, but as it says other products are affected in all versions (Windows, OS X and Linux), Endpoint and Business versions.
“Many antivirus products have emulation capabilities. ESET NOD32 uses a microfilter or kext (the name comes from the kernel extension or extension kernel) to monitor Disk I/O. ” reports Ormandy.
Because operations on Disk I/O can be caused in a number of ways, malicious code can be passed to the disk, from messages, archives, images or other type of data. Hence the need for a robust and properly isolated code emulator in antivirus solutions.
Ormandy found the glitch, analyzed it and created a remote root exploit in a few days, indicating that it can obtain full access to the victim's system.
But let's say that Ormandy declared vulnerability to ESET at 18 in June, and the company immediately released an update for the scan engine (just 4 days later).
You can find more technical details on vulnerability, along with exploit on announcement page of the security vacuum.
See Poc
https://www.youtube.com/watch?v=Sk-CuFMXods
