In an ironic and unfortunate turn of events, Google security researchers have discovered a bug in Mac antivirus software that exposes Macs to remote hacking. The critical vulnerability was discovered last November, in ESET’s Endpoint Antivirus 6 for macOS, by Google Security Team members Jason Geffner and Jan Bee.
According to ESET’s website, the software provides “comprehensive endpoint protection for macOS” and “eliminates all types of threats, including viruses, rootkits, worms and spyware.”
As it turns out, an update made to ESET’s antivirus package in October 2016 contained an outdated XML parsing library from 2007. The result was that vulnerable versions of ESET Endpoint Antivirus 6 “do not perform proper server authentication, allowing for remote unauthenticated attackers to perform arbitrary code execution as root on vulnerable clients,” the Google researchers wrote in their full vulnerability disclosure.
The old parser library in question is the POCO XML parser library, which is known to be vulnerable to a buffer overflow bug. The XML library bug allows malicious agents to perform man-in-the-middle attacks to intercept licensing credential transfers and deliver malformed XML documents using a forged HTTPS certificate, granting them root level privileges to the target Mac.
Once they have the ability to push root-level code execution, hackers can wreak a significant amount of havoc.
Once the Googlers discovered the issue, they notified ESET and gave them three months to rectify it.
“Working together with the Google Security Team, we issued updates on February 13th and 14th that corrected the issues before the vulnerability became public. All users with the latest version of ESET products are not vulnerable to these issues,” an ESET spokesperson said to ZDNet.
“To our knowledge, no users have reported any incidents around the discoveries.”
ESET has since fixed the issue and released an updated iteration in version 220.127.116.11 on February 21, which you can download here.