14 DAY TRIAL // Multiple McAfee consumer products share an identical vulnerability that if exploited could permit the remote execution of arbitrary code on a vulnerable machine to the point of completely compromising the system, allowing for user level access and privileges. So far McAfee Internet Security Suite 2006, McAfee Wireless Home Network Security, McAfee Personal Firewall Plus, McAfee VirusScan, McAfee Privacy Service, McAfee SpamKiller, McAfee AntiSpyware have all proved vulnerable, and McAfee has disclosed that McAfee SecurityCenter 4.3 through McAfee SecurityCenter 6.0.22, the client security consoles, share the flaw.
"This vulnerability requires the attacker to construct the infrastructure of the attack web page as well as the assistance of an authenticated end user on the machine. The McAfee security ranking scale that is used classifies that any remote assisted flaw that results in arbitrary code execution is a medium threat to the end user. In order to accomplish this exploit, a user would have to force Internet Explorer to render a malicious web page which has been generated by the attacker. The attack requires reverse engineering of the software as well as the assistance of the user," wrote McAfee in an advisory.
The security company has already announced that it has released an update addressing the problem, making Security Center 7.0 available through automatic delivery starting with August 2nd of 2006.