Security vendor McAfee, which is now owned by Intel, is rolling out a patch for three flaws in its Endpoint Protection Software as a Service offering.
All three flaws are in ActiveX controls. One tricks the control into executing commands supplied by an attacker, the second lets attackers write to files on disk and the third lets attackers execute code with user privileges, McAfee said.
The first two flaws were patched back in August, and it’s the third that created headlines earlier this week when it was found it let attackers essentially hijack victims’ PCs and use them to relay spam.
McAfee knows of “four to five” victims, all small and medium-sized businesses, company spokesperson Ian Bain told TechNewsWorld. The vendor “worked with them to stop [the attack] as the patch was being developed,” Bain added.
The spam relay problem “would most likely cause an ISP to block a business, and that is rarely going to happen to a large corporation,” IT security expert Randy Abrams told TechNewsWorld. “Small, relatively unknown companies would be at great risk of being blacklisted.”
Fixating on the Flaws
The flaw that turned victims’ PCs into spam relay machines, ZDI-CAN-1094, affects the myCIOScn ActiveX control.
It affects McAfee SaaS Endpoint Protection version 5.2.2 and earlier, McAfee said.
The vulnerability was reported to McAfee in April 2011 by Andrea Micalizzi, a.k.a. “rgod,” of Tipping Point’s DVI Labs.
However, user involvement is required to exploit the vulnerability. The Tipping Point advisory detailing Micalizzi’s discovery said users had to visit a malicious page or open a malicious file first.
The myCIOScn ActiveX control is used in McAfee’s Rumor feature. This employs file-sharing technology to distribute security product updates and upgrades.
The Rumor technology was implemented to help keep down the cost of software updates and upgrades, but this isn’t the first time it has backfired on McAfee.
Back in 2001, a remote vulnerability surfaced that leveraged Rumor technology to let attackers read any file on an affected PC. Attackers could use a specially formatted directory traversal URL to connect to a victim’s Web server and view and download any file on the target PC, Packet Technology warned.
At that time, the Rumor technology was used in McAfee Agent under the local system account.
Old Threats Never Die
One of the two earlier flaws that emerged in SaaS Endpoint Protection back in 2011 also affected the myCIOScn ActiveX control. This control acts as the main scanning process.
The vulnerability, labeled “ZDI-CAN-1105,” let attackers write to a file on disk. The attackers could control some contents of that file.
The other flaw, labeled “ZDI-CAN-1104,” affects the MyAsUtil ActiveX control. This control acts as a proxy for the SaaS Endpoint Protection system to allow for the execution of commands. Attackers can trick the control into executing commands they provide.
Like the latest vulnerability, these can only be exploited if users click on infected links or attachments.
They were fixed in McAfee SaaS Endpoint Protection version 5.2.2 released in August 2011, McAfee said.
These older flaws are being removed and, since they have already been fixed, removing them “is a cleanup,” McAfee’s Bain stated.
More on the Latest Patch
McAfee is automatically sending the patch for Endpoint Protection to customers on a phased rollout basis from its Network Operations Center.
Delivery is scheduled for completion before Jan. 30.
Customers have to ensure that their systems are online and available to receive updates.
In the meantime, those with technical knowhow who use Internet Explorer can disable scripting within that browser by modifying the data value of the Compatibility Flags DWORD, Tipping Point said.
First, they have to go to this location in the registry:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Internet Explorer/ActiveX Compatibility/209EBDEE-065C-11D4-A6B8-00C04F0D38B7
Then, they set the Compatibility Flags value to:
For more details, go here.
Customers can find out if they’ve possibly been affected by the flaw if they see their Internet connection has been a lot slower than usual or by asking their ISPs if there has been an unusual spike in traffic.