[NT] McAfee Internet Security Suite Race Condition Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 04/19/05
- Previous message: SecuriTeam: "[EXPL] Openssl-Too-Open: Apache / OpenSSL Remote Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 19 Apr 2005 11:22:00 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
McAfee Internet Security Suite Race Condition Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.mcafeesecurity.com/> McAfee Internet Security Suite is a
"product used to protect a personal computer from virus infections, and
additionally provides firewall and privacy control functionality".
Local exploitation of an insecure permission vulnerability in McAfee
Internet Security Suite allows attackers to escalate non-Administrator
privileges or disable protection.
DETAILS
Vulnerable Systems:
* McAfee Internet Security Suite 2005
The vulnerability specifically exists in the default file Access Control
List (ACL) settings that are applied during installation. When an
administrator installs McAfee Internet Security Suite 2005, the default
ACL allows non-Administrator users to modify the installed files. Because
of the fact that some of the programs run as system services, a
non-Administrator user can simply replace an installed McAfee Internet
Security Suite 2005 file with their own malicious code that will later be
executed with system privileges.
Successful exploitation allows local attackers to escalate privileges the
system level. It is also possible to use this vulnerability to simply
disable protection by moving all of the executable files so that they
cannot start upon a reboot.
Workaround:
Apply proper Access Control List settings to the directory that McAfee
Internet Security Suite 2005 is installed in. The ACL rules should make
sure that no regular users can modify files in the directory.
Vendor Status:
"McAfee has acknowledged this issue and is providing automated fixes for
registered users. This issue affects an extremely small subset of the
McAfee Internet Security Suite 2005 user base as the vast majority of home
users do not use non-Administrator Windows accounts.
Registered McAfee Internet Security Suite 2005 users should have
automatically downloaded and installed high-priority McAfee security
software updates by default, and now have fixes for this vulnerability
installed on their computers.
To manually check for updates, users can right-click the McAfee system
tray icon (white M on red background) and select 'Updates'. In the
resulting dialogue box, they should click 'Check Now' to check the server
for updates. The user will be walked through the update process or be
notified that all software is up to date. If a user has not yet
registered, a registration web page or the registration wizard will
pop-up, guiding the user through the update process.
McAfee's key priority is the security of our customers. In the event that
a vulnerability is found within any of McAfee's software, we have a strong
process in place to work closely with the relevant security research group
to ensure the rapid and effective development of a fix and communication
plan."
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1107>
CAN-2005-1107
Disclosure Timeline:
02/04/2005 - Initial vendor notification
02/07/2005 - Initial vendor response
04/18/2005 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> idlabs.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=233&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=233&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] Openssl-Too-Open: Apache / OpenSSL Remote Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
