From AV to oy-vey: McAfee antivirus has security hole of its own

Security suite falls victim to malicious DLLs

Three of McAfee's anti-malware tools have been found to contain a vulnerability that could potentially allow an attacker to bypass its security protections and take control of a PC.

The team with SafeBreach says that it has already privately reported the bug to McAfee, and the security shop was able to release a patch on Tuesday prior to the report going public. Users and admins running McAfee Total Protection, Anti-Virus Plus, and Internet Security are all advised to update their software to version 12.0.R22 Refresh 1 or later.

Crucially, SafeBreach noted: "In order to exploit this vulnerability the attacker needs to have Administrator privileges."

According to the biz, the flaw can be traced back to an error in the McAfee software that causes the security tools to try and load a DLL file (wbemcomn.dll) from the wrong file path.

This means an attacker could write their own poisoned version of wbemcomn.dll, insert it into the directory where the software tries to look, and then could have the file automatically loaded and run without any checks.

"We suspected that a vulnerability could be exploited if we could load an arbitrary unsigned DLL into these processes," SafeBreach Labs researcher Peleg Hadar explains in a write-up.

Software bug

We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?


"This would enable us to bypass the self-defense mechanism of the antivirus software, mainly because the folders of the McAfee software are protected by a mini-filter filesystem driver, which restricts writing operations even by an Administrator."

In practice, this means an attacker could use the vulnerability to execute commands on the target machine, with system level privileges, without having to worry about the McAfee anti-malware tools catching or stopping the operation.

Additionally, because the DLL file would be loaded every time the security suite runs, it would be a good way for an attacker to gain persistence on the machine and survive a reboot.

The vulnerability, first reported to McAfee in early August, has been designated CVE-2019-3648.

The release of this patch will come at what is already a busy time for administrators. Microsoft, Adobe, and SAP are all set to release their own monthly patch bundles today, while Intel has also posted a microcode update to help protect against yet another variation on the ZombieLoad side channel attack. ®

Narrower topics

Other stories you might like

Biting the hand that feeds IT © 1998–2022