Mcafee is offering an update that fixes two bugs in ActiveX controls that the SaaS Endpoint Protection product uses to do its normal operations. The first issue could allow a remote attacker to execute commands on the system. The second could result in overwriting files and possible code execution in specific circumstances.
To make sure you get the patch, ensure that your systems are online and available to recieve updates. All systems should receive the patch by January 30th.
The researcher details three issues in McAfee SaaS Endpoint Protection:
JANUARY 2012 UPDATE: This patch also has been shown to remediate a newer issue, disclosed as ZDI-CAN-1094. We have updated this document on January 17, 2012 to reflect this new information.
ZDI-CAN-1104
This issue affects the MyAsUtil ActiveX control. This control is used to act as a proxy for the SaaS Endpoint Protection system to allow for execution of commands. This attack uses a method to trick the control into executing attacker supplied commands.
ZDI-CAN-1105
This issue affects myCIOScn ActiveX control. This control acts as the main scanning process, and results in the attacker having the ability to write to a file on disk. Some contents of the file can be controlled by the attacker.
ZDI-CAN-1094 -- UPDATED
This issue also affects myCIOScn ActiveX control. The issue described in this disclosure could allow an attacker to execute code within the context of the ActiveX control. This would result in code running under the same privilege as the logged in user.
These issues all require a target to click on an attacker supplied link or open an attacker supplied file. Each has ActiveX protections that limit where the origination of the request could come from, meaning that an attacker needs to perform a separate attack (known as a XSS) for either of these attacks to work.
All of these issues are resolved in McAfee SaaS Endpoint Protection version 5.2.2 released on August 4th 2011.
For more please visit https://www.mcafeeasap.com/MarketingContent/default.aspx.
The researcher details three issues in McAfee SaaS Endpoint Protection:
JANUARY 2012 UPDATE: This patch also has been shown to remediate a newer issue, disclosed as ZDI-CAN-1094. We have updated this document on January 17, 2012 to reflect this new information.
ZDI-CAN-1104
This issue affects the MyAsUtil ActiveX control. This control is used to act as a proxy for the SaaS Endpoint Protection system to allow for execution of commands. This attack uses a method to trick the control into executing attacker supplied commands.
ZDI-CAN-1105
This issue affects myCIOScn ActiveX control. This control acts as the main scanning process, and results in the attacker having the ability to write to a file on disk. Some contents of the file can be controlled by the attacker.
ZDI-CAN-1094 -- UPDATED
This issue also affects myCIOScn ActiveX control. The issue described in this disclosure could allow an attacker to execute code within the context of the ActiveX control. This would result in code running under the same privilege as the logged in user.
These issues all require a target to click on an attacker supplied link or open an attacker supplied file. Each has ActiveX protections that limit where the origination of the request could come from, meaning that an attacker needs to perform a separate attack (known as a XSS) for either of these attacks to work.
All of these issues are resolved in McAfee SaaS Endpoint Protection version 5.2.2 released on August 4th 2011.
For more please visit https://www.mcafeeasap.com/MarketingContent/default.aspx.