The vulnerability — which exists in the subscription manager of McAfee AntiSpyware, Internet Security Suite, PC Protection Plus, Personal Firewall Plus, Privacy Service, QuickClean, SecurityCenter, SpamKiller, Total Protection, VirusScan and Wireless Home Network Security — was patched by the California.-based anti-virus giant on 22 March.
Secunia today ranked the flaw as "highly critical," meaning it can be exploited for system access from a remote location. Attackers can use the bug to cause a buffer overflow via a malicious file, according to the Danish vulnerability monitoring clearinghouse.
The flaw is caused by an error within the SecurityCenter Subscription Manager ActiveX control when handling the IsOldAppInstalled() method, according to Secunia’s advisory, and is found in versions prior to 7.2.147 and 6.0.25.
The organization recommended that users who cannot patch set the kill bit for the affected ActiveX control.
For a successful attack, a victim must be redirected to a malicious website. However, the level of social engineering required is minimal, according to an advisory from VeriSign iDefense. An iDefense representative could not immediately be reached for comment today.
COMRaider and other COM object fuzzing tools can easily find the flaw, according to iDefense’s advisory.
FrSIRT, the French Security Incident Response Team, ranked the flaw as "critical" in an advisory released today.
Researcher Peter Vreugdenhil was widely credited with discovering the flaw.
McAfee rated the flaw as "medium" severity on Monday. In an advisory, the company warned that the flaw affects McAfee products for Microsoft Windows operating systems.
End-users set to receive automatic updates are likely patched, according to McAfee’s advisory.
Dave Marcus, security research and communications manager at McAfee, told SCMagazine.com that users should ensure their systems are patched and keep an eye out for social engineering attacks.
"The vulnerability in the Secunia Advisory has been patched and available through auto-update since 22 March, 2007 so users that have this setting enabled automatically received the patch. McAfee is not aware of any active exploitation of this vulnerability in-the-wild but advises it’s customers to ensure they are running the latest version of this software."
Flaws in numerous McAfee products
By Frank Washkuch on May 10, 2007 10:13AM