CYBERSPACE – Security research firm iDefense reported Wednesday that McAfee’s line of anti-virus software is vulnerable to attack, the second report of vulnerabilities in popular anti-virus programs in as many days. (On Tuesday, independent researcher Alex Wheeler reported a bug in Symantec’s AV line).iDefense reported that a flaw within a DLL file used by several of McAfee’s products could be exploited by hackers to write data to the compromised PC.
“This is relatively easy to exploit,” said director of iDefense Michael Sutton. “It takes some degree of social engineering – the attacker would have to draw people to a malicious Web site – but after that, there’s no further intervention required. An attacker could leverage this to write to a file on the hard drive. And once you can write to a person’s machine, you have full control.”
The McAfee bug is centered on an ActiveX control that handles writing to log files. According to the Danish security firm Secunia, McAfee’s “Security Center,” “VirusScan,” and “VirusScan Professional” all contain the flawed DLL, and are all at risk. Secunia ranks the threat “Highly critical.”
On Wednesday, McAfee issued a statement saying that the flaw had already been fixed, and updates automatically distributed to end-users.
“McAfee previously released updates that resolve this issue,” the company stated in their release. “All active McAfee users, by default, should have automatically received the update, and will now have the fix for this vulnerability already installed on their computers.”
Sutton said the problem lies in code reuse, and a lack of security testing on the part of developers when it comes to third-party code.
“There’s always code reuse in development, which is a good thing. No one writes an entire application from scratch,” said Sutton. “But if you’re using someone else’s code, you’re relying on the security of that code. Developers need to apply the same level of security testing to those shared pieces as they do to their own code.”
The McAfee and Symantec bugs are just the latest flaws found in popular and widely-distributed security software, as almost every security software vendor of note has been required to issue updates and patches during the course of this year. Earlier this year, Wheeler reported vulnerabilities in software from F-Secure, Trend Micro, and another McAfee flaw, while iDefense has reported flaws in security software from Computer Associates, Kaspersky, McAfee, Sophos, Symantec, and Zone Alarm.
“There are definite trends in security research,” Sutton said. “One researcher will find a vulnerability in a particular class of products, or find a new type of vulnerability. Then everyone rushes to it, and it becomes low hanging fruit. But it’s a good thing, because these products are now getting patched.”
