Critical hole in McAfee products still open after more than 180 days

Status
Not open for further replies.

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
H Security said:
Zero Day Initiative (ZDI) has released information on a security problem in McAfee's Security-as-a-Service products (SaaS). The vulnerability broker says that it told McAfee about the hole in April 2011, and that it has now decided to publicly release the information because the vendor still hasn't provided a patch.
The flaw is contained in the myCIOScn.dll program library. In this library, the MyCioScan.Scan.ShowReport() method insufficiently filters user input and executes embedded commands within the context of the browser. The flaw can be exploited when a user opens a specially crafted file or web page. ZDI rates the issue as very severe and has given it a CVSS score of 9 – maximum severity is 10.
ZDI's advisory doesn't state exactly which products are affected. McAfee's range of SaaS products includes "SaaS Email Encryption" for encrypting emails and "Vulnerability Assessment SaaS", which checks software for potential vulnerabilities.
As a workaround, ZDI recommends that users set the kill bit in the registry to prevent Internet Explorer from instantiating the affected ActiveX control. To do so, the "Compatibility Flags" DWORD entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\209EBDEE-065C-11D4-A6B8-00C04F0D38B7 must be set to "0x00000400".

Read more ...
 

MrXidus

Super Moderator (Leave of absence)
Apr 17, 2011
2,503
Terrible. Glad I know not one person in real life that uses McAfee. Junkware, Hence why I've never bothered to make a video review on it.

Hopefully they'll step up and patch it ASAP now that's it public. Thanks.
 

Viking

Level 26
Verified
Honorary Member
Top Poster
Well-known
Oct 2, 2011
1,531
McFee are having problems of late!

I have a friend who uses McAfee, I'll have to tell her about it tomorrow.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
I remember reading something about how some security software increases the surface of attack, by injecting files into you web browser.

This could be one of those examples.

AFAIK, I think I'm right. :)
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Not literally good.

Even they were working on the product up to the latest version, when it was leave a huge vulnerable that's unfixed then result a not so good product at all.
 
V

Vextor

Really? Really McAfee? You have known about a problem for almost a year and you haven't fixed it.
I really hate using it, but it's my only choice until April, where I can finally leave and get on board VIPRE (thanks to MalwareTips :D)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top