McAfee Still Working on SaaS Hole

Wednesday, January 18, 2012 @ 02:01 PM gHale

At least six months have passed and the Zero Day Initiative (ZDI) released information on a security problem in McAfee’s Security-as-a-Service products (SaaS).

ZDI told McAfee about the hole in April 2011, and it has now decided to publicly release the information because the vendor still has not provided a patch.

Linux Kernel Panic Problem Solved
True SLOB: Linux Kernel Cracking
Wireshark Closes Security Holes
OAS HMI Holes Fixed
Snort to Boost SCADA Security

The flaw is in the myCIOScn.dll program library. In this library, the MyCioScan.Scan.ShowReport() method insufficiently filters user input and executes embedded commands within the context of the browser. The flaw can suffer from exploit when a user opens a specially crafted file or web page. ZDI rates the issue as very severe and has given it a CVSS score of 9, with the maximum severity being 10.

ZDI’s advisory does not say which products suffer from the vulnerability. McAfee’s range of SaaS products includes “SaaS Email Encryption” for encrypting emails and “Vulnerability Assessment SaaS”, which checks software for potential vulnerabilities.

As a workaround, ZDI recommends users set the kill bit in the registry to prevent Internet Explorer from instantiating the affected ActiveX control. To do so, the “Compatibility Flags” DWORD entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\209EBDEE-065C-11D4-A6B8-00C04F0D38B7 must be set to “0x00000400”.

McAfee said it is aware of the issue and that it “examined the effect of the reported issue and feels that the risk is very low”. The company has not fixed the problem yet but says “as this is a hosted solution, patches will be automatic and all affected customers will be brought to the fixed version as quickly as possible”. McAfee said it does not believe there is any risk from the vulnerability “due to the mitigations in place.”

Leave a Reply

You must be logged in to post a comment.