Emsisoft would like to thank independent security researchers that help us to improve our products. If you have found a new vulnerability in our products that can be used to threaten the security of a computer, please immediately let us know via [email protected].
The following vulnerabilities have been disclosed:
2016-01-08: Code execution and privilege escalation in installers
Installer packages of Emsisoft products have been found to be vulnerable to so called carpet poisoning attacks. These allow for execution of third party code with elevated rights, in the event that the malicious code is already planted in DLL files using specific file names in the same folder where the installer packages are saved to and executed from.
The root cause of this issue is essentially the way in which Windows loads DLL files. While developers expect that system components are loaded from the Windows folder, Windows looks for an equally named file in the same folder of an executable (EXE) first. This allows an attacker to plant a malicious version of a DLL in the same folder (e.g. via drive-by download) to get their malicious code executed with higher rights when the installer for the legitimate software is executed. Since installers require elevated rights, they pass on these rights to any other code they load, such as code in DLL files, allowing them to gain higher rights than they would get when executed on their own.
The issue effects all Emsisoft installation packages (setups) that were compiled before 2016-01-08, in particular EmsisoftAntiMalwareSetup.exe, EmsisoftInternetSecuritySetup.exe, and EmsisoftEmergencyKit.exe. You can verify the timestamp of signing in file properties under "Digital Signatures" (right-click on the file, select "Properties", and click on the "Digital Signatures" tab to view this information).
Emsisoft code was never effected by this issue. The problem is limited to the installers (setup programs) that install our products on your computer, which are based on third party installer technology.
All installers were re-compiled with a fixed version of the installer technology on 2016-01-08.
Older installers may still be safely executed from any new folder that does not contain any other DLL files.
Since this generic problem effects a high number of installers from various vendors, it is recommended to never execute downloaded programs directly from unsafe folders like "Downloads" or "Temp". You may want to set the permissions of those folders to deny execution and/or always move downloaded programs into new and empty folders before executing or running them.
Emsisoft would like to thank Stefan Kanthak for bringing this issue to our attention.