Researchers from Zero Day Initiative (ZDI) have found a critical vulnerability in McAfee’s Security-as-a-Service (SaaS) products. Even though McAfee has been notified on the issue since April 2011, the company failed to provide a patch and ZDI disclosed the information in accordance with their 180-day deadline.
An attacker can execute arbitrary code by exploiting the flaw, but only if he manages to convince the potential victim to visit a malicious page or open a specially crafted file. Unfortunately, from previous experience, we know that the task is not difficult to accomplish.
“The specific flaws exists within myCIOScn.dll. MyCioScan.Scan.ShowReport() will accept commands that are passed to a function that simply executes them without authentication. This can be leveraged by a malicious attacker to execute arbitrary code within the context of the browser,” reads ZDI’s report.
The issue has been rated with a CVSS score of 9 out of a maximum of 10 which means that the weakness is highly severe.
While McAfee didn't provide a patch, ZDI recommends a workaround to mitigate the threat. They recommend users to set the killbit to disable scripting within Internet Explorer by modifying a registry value.
According to the researchers, if
Compatibilty Flags DWORD from
HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Internet Explorer\ActiveX Compatibility \ 209EBDEE-065C-11D4-A6B8-00C04F0D38B7 is set to
0x00000400, an attack can be prevented.
The experts didn’t provide the exact names of the affected products, but McAfee’s SaaS
includes McAfee SaaS Email Protection, which delivers protection against viruses and spam in email systems, McAfee Integrated Suites that offer protection against viruses, spyware, web threats and other attacks, Endpoint Protection, Vulnerability Management, and Web Protection.
We have contacted McAfee for an official statement regarding the matter, but they haven’t responded so far. The article will be updated as soon as the company comes forward with details.
Update. McAfee released a
statement on their community forum clarifying the issue. Here is their statement:
McAfee is aware of this article. It is in reference to a security issue with McAfee Total Protection Service, our SaaS AV hosted product, which was fixed in a patch released in August 2011.
McAfee is releasing another patch later this week that will remove the functionality altogether (which was made obsolete by the August patch). As this is a hosted solution, the patch process will be automatic. Again, the August 2011 patch mitigated the issue. More information is available
here and
here.
Find us on Google+
