Patch/Configuration Management, Vulnerability Management

Flaws in numerous McAfee products allow system compromise

Vulnerability monitoring organizations have reported a flaw in numerous McAfee products that can be exploited to compromise systems.

The vulnerability — which exists in the subscription manager of McAfee AntiSpyware, Internet Security Suite, PC Protection Plus, Personal Firewall Plus, Privacy Service, QuickClean, SecurityCenter, SpamKiller, Total Protection, VirusScan and Wireless Home Network Security —  was patched by the Santa Clara, Calif.-based anti-virus giant on March 22.

Secunia today ranked the flaw as "highly critical," meaning it can be exploited for system access from a remote location. Attackers can use the bug to cause a buffer overflow via a malicious file, according to the Danish vulnerability monitoring clearinghouse.

The flaw is caused by an error within the SecurityCenter Subscription Manager ActiveX control when handling the IsOldAppInstalled() method, according to Secunia’s advisory, and is found in versions prior to 7.2.147 and 6.0.25.

The organization recommended that users who cannot patch set the kill bit for the affected ActiveX control.

For a successful attack, a victim must be redirected to a malicious website. However, the level of social engineering required is minimal, according to an advisory from VeriSign iDefense. An iDefense representative could not immediately be reached for comment today.

COMRaider and other COM object fuzzing tools can easily find the flaw, according to iDefense’s advisory.

FrSIRT, the French Security Incident Response Team, ranked the flaw as "critical" in an advisory released today.

Researcher Peter Vreugdenhil was widely credited with discovering the flaw.

McAfee rated the flaw as "medium" severity on Monday. In an advisory, the company warned that the flaw affects McAfee products for Microsoft Windows operating systems.

End-users set to receive automatic updates are likely patched, according to McAfee’s advisory.

Dave Marcus, security research and communications manager at McAfee, told today that users should ensure their systems are patched and keep an eye out for social engineering attacks.

"The vulnerability in the Secunia Advisory has been patched and available through auto-update since March 22, 2007 so users that have this setting enabled automatically received the patch. McAfee is not aware of any active exploitation of this vulnerability in-the-wild but advises it’s customers to ensure they are running the latest version of this software."

Click here to email Online Editor Frank Washkuch Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.