John Bartow
john at winhaven.net
Thu Mar 17 21:16:03 CST 2005
Just got one of these concerning McAfee. Who's next? John B. Malicious E-mail Commandeers Computers Running McAfee AV Severity: Medium 17 March, 2005 Summary: Today, ISS X-Force, in cooperation with McAfee, announced a critical buffer overflow vulnerability affecting the antivirus (AV) engine used by most McAfee products. By sending an e-mail containing a specially-crafted attachment, an attacker could exploit this flaw to execute code and gain total control of any machine running Mcafee's AV. Since AV software scans incoming files automatically, the attack can succeed even if the victim does not interact with the malicious e-mail. If you use McAfee AV, ensure that your clients have downloaded the McAfee VirusScan 4400 Scan Engine and version 4436 (or higher) signature DAT. Exposure: Today, both ISS X-Force and McAfee [pdf] released alerts describing a new buffer overflow flaw that affects the antivirus (AV) engine used by most McAfee products. The flaw resembles the Symantec, F-Secure and Trend Micro flaws that ISS X-Force reported during February. According to both advisories, the buffer overflow results from the McAfee VirusScan Engine's inability to properly parse specially-malformed LHA files. LHA is a compression format some virus authors utilize to make files smaller, and thus faster-spreading. By sending an e-mail containing a specially-crafted LHA attachment, an attacker can exploit this buffer overflow to execute code on any computer running McAfee's AV software. Since AV software scans incoming files automatically, such an attack would succeed even if no one on your network interacts with the malicious e-mail. Once the infected e-mail is received at a valid address on your network, the attacker could obtain full control of the victim's PC whether or not the victim opens the booby-trapped e-mail. Besides scanning e-mail, McAfee's VirusScan Engine also monitors files downloaded from the Web, FTP servers, and Windows SMB shares. An attacker could also exploit this vulnerability by enticing a victim into downloading a malicious LHA file from these alternate sources. The vulnerability itself presents a serious threat. However, we rank the severity "Medium" because McAfee released a VirusScan Engine that fixed this flaw back in December 2004. If you have McAfee's auto-update feature enabled, your engine has been patched and this flaw no longer presents any risk.