Zero Day Initiative (ZDI) has released information on a security problem in McAfee's Security-as-a-Service products (SaaS). The vulnerability broker says that it told McAfee about the hole in April 2011, and that it has now decided to publicly release the information because the vendor still hasn't provided a patch.
The flaw is contained in the myCIOScn.dll program library. In this library, the MyCioScan.Scan.ShowReport() method insufficiently filters user input and executes embedded commands within the context of the browser. The flaw can be exploited when a user opens a specially crafted file or web page. ZDI rates the issue as very severe and has given it a CVSS score of 9 – maximum severity is 10.
ZDI's advisory doesn't state exactly which products are affected. McAfee's range of SaaS products includes "SaaS Email Encryption" for encrypting emails and "Vulnerability Assessment SaaS", which checks software for potential vulnerabilities.
As a workaround, ZDI recommends that users set the kill bit in the registry to prevent Internet Explorer from instantiating the affected ActiveX control. To do so, the "Compatibility Flags" DWORD entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\209EBDEE-065C-11D4-A6B8-00C04F0D38B7 must be set to "0x00000400".
Read more ...