14 DAY TRIAL // Security giant McAfee is investigating a publicly disclosed DLL preloading vulnerability in version 8.5i of its VirusScan Enterprise (VSE) product, which can lead to remote code execution.
McAfee VirusScan Enterprise is the company’s endpoint antivirus product for corporate environments and is currently at version 8.7i Patch 4.
In a knowledge base article published yesterday, McAfee revealed that it is investigating reports of a vulnerability in VSE 8.5i and earlier, which could allow remote attackers to execute arbitrary code in the context of the antivirus.
The company described the flaw as a “DLL Side Load issue” and rated its impact as medium. The calculated CVSS base score is 5.7 out of 10.
In contrast, vulnerability research company Secunia rates the issue as “highly critical” and calls it an “insecure library loading” flaw.
This discrepancy in severity rating is caused by the fact that McAfee treats this as an unconfirmed report, which keeps the CVSS score down.
“We are investigating the claims and will update this KB with additional details when they are available. We will be publishing a hotfix for this issue as soon as we are certain the fix closes all avenues of attack,” the company says.
Secunia credits Parvez Anwar with discovery of the flaw and explains that exploitation involves tricking users into opening a specially crafted Word document from a remote WebDAV or SMB share.
When the antivirus product tries to scan ActiveX content embedded inside the file, it attempts to load traceapp.dll from the current working directory.
This presents an opportunity for attackers to place a rogue library with that name in the same folder as the Word document and have it loaded. The only mitigation available at the moment is to upgrade to VSE 8.7i, which is not vulnerable.