Zero-Day Vulnerability Found in McAfee’s SaaS Products

Researchers from Zero Day Initiative (ZDI) have found a critical vulnerability in McAfee’s Security-as-a-Service (SaaS) products. Even though McAfee has been notified on the issue since April 2011, the company failed to provide a patch and ZDI disclosed the information in accordance with their 180-day deadline.
 An attacker can execute arbitrary code by exploiting the flaw, but only if he manages to convince the potential victim to visit a malicious page or open a specially crafted file. Unfortunately, from previous experience, we know that the task is not difficult to accomplish.

“The specific flaws exists within myCIOScn.dll. MyCioScan.Scan.ShowReport() will accept commands that are passed to a function that simply executes them without authentication. This can be leveraged by a malicious attacker to execute arbitrary code within the context of the browser,” reads ZDI’s report.

The issue has been rated with a CVSS score of 9 out of a maximum of 10 which means that the weakness is highly severe.

While McAfee didn't provide a patch, ZDI recommends a workaround to mitigate the threat. They recommend users to set the killbit to disable scripting within Internet Explorer by modifying a registry value.

According to the researchers, if Compatibilty Flags DWORD from HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Internet Explorer\ActiveX Compatibility \ 209EBDEE-065C-11D4-A6B8-00C04F0D38B7 is set to 0x00000400, an attack can be prevented.

The experts didn’t provide the exact names of the affected products, but McAfee’s SaaS includes McAfee SaaS Email Protection, which delivers protection against viruses and spam in email systems, McAfee Integrated Suites that offer protection against viruses, spyware, web threats and other attacks, Endpoint Protection, Vulnerability Management, and Web Protection.

We have contacted McAfee for an official statement regarding the matter, but they haven’t responded so far. The article will be updated as soon as the company comes forward with details.
Source: Softpedia


Free counters!


MauriHackerS - Providing Latest IT Security and Hacking News !