03:20 PM

Bug Bites McAfee Antivirus

A security research firm says McAfee's antivirus line is vulnerable to attack, the second such warning issued about antivirus software in two days.

A security research firm said Wednesday that McAfee's anti-virus line is vulnerable to attack, the second such warning issued about anti-virus software in two days.

Reston, Va.-based iDefense said that a flaw within a DLL used by a number of McAfee products could be exploited by attackers to write data to the victimized PC. In other words, the very software that was supposed to protect a PC could be turned against its user.

"There is some irony there," said Michael Sutton, the director of iDefense Labs.

This is the second vulnerability in anti-virus (AV) software made public in the last two days. On Tuesday, an independent researcher released information about a bug in Symantec's AV product line.

"This is relatively easy to exploit," said Sutton. "It takes some degree of social engineering -- the attacker would have to draw people to a malicious Web site -- but after that, there's no further intervention required. An attacker could leverage this to write to a file on the hard drive. And once you can write to a person's machine, you have full control."

Unlike the Symantec bug, the one in McAfee's AV software revolves around an ActiveX control responsible for writing to log files. ActiveX, a Microsoft invention, has been sited numerous times as the root of vulnerabilities, though usually they’re related to Internet Explorer, the Redmond, Wash.-based developer's popular browser.

According to Secunia, a Danish vulnerability tracker, McAfee's Security Center, VirusScan, and VirusScan Professional all include the flawed DLL, and so are at risk. Secunia ranked the threat as "Highly critical."

On Wednesday, McAfee issued a statement saying that the flaw had been fixed and updates automatically pushed out to users.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of August 21, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.