|
|
|
Credit:
The information has been provided by iDEFENSE Labs.
The original article can be found at: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=358
|
|
Vulnerable Systems:
* McAfee VirusScan mcinsctl.dll version 4.0.0.83
The vulnerability specifically exists due to a registered ActiveX control failing to restrict which domains may load the control for execution. MCINSCTL.DLL as included with McAfee Security Center exports an object for logging called MCINSTALL.McLog. The McLog object is designed to allow Security Center to log to a file through the StartLog and AddLog methods. McAfee fails to restrict the ActiveX control from being loaded in arbitrary domains. As such, attackers can create a specially crafted web page utilizing the McLog object to create arbitrary files. This attack can lead to arbitrary code execution by a remote attacker.
Successful exploitation of this vulnerability allow attackers to create or append to arbitrary files. An attacker can write to a startup folder to execute arbitrary code during the next reboot or logon session. A user will not be required to authorize the object instantiation since the object is within a signed ActiveX control. A typical exploitation scenario would require an attacker to convince a targeted user to visit a malicious website.
This vulnerability hints at a new class of vulnerabilities that occur due to developers not using the IObjectSafetySiteLock() API to restrict domains that can load a particular ActiveX control. Vendors who distributed third-party ActiveX controls should be sure to use the IObjectSafetySiteLock() API in their applications.
Vendor Status:
"McAfee previously released updates to SecurityCenter that resolve this issue. All active McAfee SecurityCenter users, by default, should have automatically received the update, and will now have the fix for this vulnerability already installed on their computers.
To manually check for updates, users can right-click the McAfee system tray icon (white M on red background) and select 'Updates'. In the resulting dialog box, they should click 'Check Now' to check the server for updates. The user will be walked through the update process or be notified that all software is up to date. If a user has not yet registered, a registration web page or the registration wizard will pop-up, guiding the user through the update process.
McAfee's key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee's software, we have a strong process in place to work closely with the relevant security
research group to ensure the rapid and effective development of a fix and communication plan."
CVE Information:
CVE-2005-3657
Disclosure Timeline:
11/15/2005 - Initial vendor notification
11/16/2005 - Initial vendor response
12/20/2005 - Coordinated public disclosure
|
|
|
|