Security vendor McAfee has issued a patch for Endpoint Protection Software as a Service, a product that contained a flaw that would allow hackers to hijack a user's system and use it to spew spam. A small number of businesses were affected by the flaw, according to McAfee.
SSecurity vendor McAfee, which is now owned by Intel (Nasdaq: INTC), is rolling out a patch for three flaws in its Endpoint Protection Software as a Service offering.
All three flaws are in ActiveX controls. One tricks the control into executing commands supplied by an attacker, the second lets attackers write to files on disk and the third lets attackers execute code with user privileges, McAfee said.
The first two flaws were patched back in August, and it's the third that created headlines earlier this week when it was found it let attackers essentially hijack victims' PCs and use them to relay spam.
McAfee knows of "four to five" victims, all small and medium-sized businesses, company spokesperson Ian Bain told TechNewsWorld. The vendor "worked with them to stop [the attack] as the patch was being developed," Bain added.
The spam relay problem "would most likely cause an ISP to block a business, and that is rarely going to happen to a large corporation," IT security expert Randy Abrams told TechNewsWorld. "Small, relatively unknown companies would be at great risk of being blacklisted."The flaw that turned victims' PCs into spam relay machines, ZDI-CAN-1094, affects the myCIOScn ActiveX control.
It affects McAfee SaaS Endpoint Protection version 5.2.2 and earlier, McAfee said.
The vulnerability was reported to McAfee in April 2011 by Andrea Micalizzi, a.k.a. "rgod," of Tipping Point's DVI Labs.
However, user involvement is required to exploit the vulnerability. The Tipping Point advisory detailing Micalizzi's discovery said users had to visit a malicious page or open a malicious file first. The myCIOScn ActiveX control is used in McAfee's Rumor feature. This employs file-sharing technology to distribute security product updates and upgrades. The Rumor technology was implemented to help keep down the cost of software updates and upgrades, but this isn't the first time it has backfired on McAfee.
Back in 2001, a remote vulnerability surfaced that leveraged Rumor technology to let attackers read any file on an affected PC. Attackers could use a specially formatted directory traversal URL to connect to a victim's Web server and view and download any file on the target PC, Packet Technology warned.At that time, the Rumor technology was used in McAfee Agent under the local system account.
READ MORE AT TECHNEWSWORLD