McAfee Email and Web Security Appliance v5.6: Multiple Vulnerabilities
NGS Secure has discovered a high risk vulnerabilities in the McAfee Email and Web Security Appliance
All versions prior to 5.5 Patch 6, Email and Web Security 5.6 Patch 3, McAfee Email Gateway 7.0 Patch 1
Vulnerabilities Include:
- Reflective XSS allowing an attacker to gain session tokens
- Session hijacking and bypassing client-side session timeouts
- Any logged-in user can bypass controls to reset passwords of other administrators
- Active sesssion tokens of other users are disclosed within the UI
- Password hashes can be recovered from a system backup and easily cracked
- Arbitrary file download is possible with a crafted URL when logged in as any user
NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure.
Love and Security: Microsoft Sends us Both
Happy Patch Day!
Instead of giving you the same breakdown of the recent critical fixes I have decided to go a different route. NSIT has compiled a list of websites that discuss the vulnerabilities in depth. Microsoft has release fixes for some critical exploits, know what they are is just half of what you need to know. How applying these updates affects your current environment is critical. Read On and keep patching!!
Microsoft’s Security Website: http://technet.microsoft.com/en-us/security/bulletin/ms12-feb
CIO Today:
Andrew Storms, director of security operations at nCircle, quipped that IT security teams are not getting any candy hearts from Microsoft for Patch Tuesday. Instead, every version of Internet Explorer gets a security update. Another analyst pointed to the HTML Layout and GDI Access Violation vulnerabilities as particularly important patches.
CSO Blogs:
Microsoft has just released its February 2012 security updates. Here’s some analysis from the folks at Symantec, McAfee and Qualys.
Read More: http://blogs.csoonline.com/network-security/2031/patch-tuesday-notes-february-2012
InfoPackets:
Microsoft will be offering fixes for a wide range of flaws affecting the company’s Internet Explorer (IE) web browser, every version of its Windows operating system (OS), as well as Microsoft Office.
Your feedback is encouraged http://feedback.netsecurityit.com
Related articles
- Microsoft Showing it’s Love – in Advance (netsecurityit.wordpress.com)
- February 2012 Patch Tuesday Preview (laws.qualys.com)
Security Earthquake That Nobody Felt
Wow, this is actually major security news. I found this on the blog from Coretrace, and they said: “This week, McAfee, one of the two dominant forces in reactive, blacklist-based endpoint security, actively and unequivocally endorsed Application Whitelisting. Ironically, in hard coverage of Symantec’s recent problems with pcAnywhere, the industry is actively recommending application whitelisting too.
BREAKING NEWS: “Endpoint Security Earthquake Hits: McAfee Actively Endorses Application Whitelisting. Magnitude & Ramifications Are Significant.”
Image via CrunchBase
First, let’s cover the major quake: McAfee’s active endorsement of application whitelisting—for corporate desktops and laptops. In a series of videos on the popular video sharing site, YouTube, McAfee joins CoreTrace in educating the market about the shortcomings of traditional blacklist-based solutions, the advantages of application whitelisting, and McAfee Application Control’s purported advantages (most of which are unique compared to other whitelisting solutions but are not unique compared to CoreTrace (e.g., trusted change and memory protection)). You can view the initial video here here . While you are at YouTube, make sure to check out CoreTrace’s video channel too.
While CoreTrace has successfully competed with our friends from McAfee on application whitelisting projects on fixed function systems (e.g., critical infrastructure, POS terminals, servers), the antivirus giant has never publically announced that whitelisting can and should be used on corporate desktops and laptops—until now. In the introductory video, McAfee senior product manager Swaroop Sayeram directly states: “Simplistic whitelisting might fit just fixed function systems… Dynamic whitelisting is a great fit for servers… and it is now a good fit for corporate desktops as well. These days, most of the deals we are seeing are to secure servers and corporate desktops.”
Second, let’s cover the story of the related tremors: The industry’s recommendations to utilize application whitelisting to solve problems like those created by Symantec’s pcAnywhere code theft. While Symantec’s own advisory to pcAnywhere users only includes its boilerplate old-school recommendations, experts throughout the industry are recommending whitelisting as one of the main solutions. As an example, as a part of his recommendations in a FoxNews.com interview , Anup Ghosh, founder and CEO of Virginian security firm Invincea, told FoxNews.com “Businesses should deploy application ‘whitelisting.’ This will prevent unauthorized malware from running on computers.”
So, McAfee has dramatically shifted the endpoint anti-malware landscape. Now the question is, with the ground shifting beneath its feed, what will Symantec do? Stay tuned for future coverage of this developing story…
Your feedback of this site is encouraged: Submit your Feedback
Related articles
- In the round file cabinet goes; PCAnywhere (netsecurityit.wordpress.com)
- NSIT Patch Notification: Symantec PCAnywhere Local Privilege Escalation, Remote Code (netsecurityit.wordpress.com)
- Symantec says that pcAnywhere is safe to use again, gives out free upgrades (thenextweb.com)
- Symantec Tells Customers To Stop Using pcAnywhere (tech.slashdot.org)
180 days and Still Nothing from McAfee
Zero Day Initiative (ZDI) has released information on a security problem in McAfee‘s Security-as-a-Service products (SaaS). The vulnerability broker says that it told McAfee about the hole in April 2011, and that it has now decided to publicly releasethe information because the vendor still hasn’t provided a patch.
Image via CrunchBase
The flaw is contained in the myCIOScn.dll program library. In this library, the MyCioScan.Scan.ShowReport() method insufficiently filters user input and executes embedded commands within the context of the browser. The flaw can be exploited when a user opens a specially crafted file or web page. ZDI rates the issue as very severe and has given it a CVSS score of 9 – maximum severity is 10.
ZDI’s advisory doesn’t state exactly which products are affected. McAfee’s range of SaaS products includes “SaaS Email Encryption” for encrypting emails and “Vulnerability Assessment SaaS”, which checks software for potential vulnerabilities.
As a workaround, ZDI recommends that users set the kill bit in the registry to prevent Internet Explorer from instantiating the affected ActiveX control. To do so, the “Compatibility Flags” DWORD entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\209EBDEE-065C-11D4-A6B8-00C04F0D38B7 must be set to “0x00000400”.
It is unusual that a security vendor and service provider would make itself vulnerable in such a way. McAfee has not yet responded to an inquiry on this matter from heise Security, the H’s German associates.
Update: McAfee has now released a statement saying that it was aware of the issue and that it had “examined the effect of the reported issue and feel that the risk is very low”. The company has not fixed the problem yet though but says “as this is a hosted solution, patches will be automatic and all affected customers will be brought to the fixed version as quickly as possible”. McAfee says it does not believe there is any risk from the vulnerability “due to the mitigations in place”.
Read More: http://tinyurl.com/7q2vaqe
Related articles
- (0Day) McAfee SaaS myCIOScn.dll ShowReport Method Remote Command Execution (netsecurityit.wordpress.com)
- McAfee software lets scammers hijack PCs to send spam (news.cnet.com)
(0Day) McAfee SaaS myCIOScn.dll ShowReport Method Remote Command Execution
Sun, Jan. 15, 2012: -NetSecurityIT Rapid Alert-
– — Affected Vendors:
— Affected Products:
McAfee Security-as-a-Service
– — TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 11710.
For further product information on the TippingPoint IPS, visit:
– — Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of McAfee Security-as-a-Service. User
interaction is required to exploit this vulnerability in that the target
must visit a malicious page or open a malicious file.
The specific flaws exists within myCIOScn.dll.
MyCioScan.Scan.ShowReport() will accept commands that are passed to a
function that simply executes them without authentication. This can be
leveraged by a malicious attacker to execute arbitrary code within the
context of the browser.
– — Vendor Response:
– — Mitigation:
The killbit can be set on this control to disable scripting within
Internet Explorer by modifying the data value of the Compatibilty Flags
DWORD within the following location in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\209EBDEE-065C-11D4-A6B8-00C04F0D38B7
If the Compatibility Flags value is set to 0x00000400 the control can no
longer be instantiated inside the browser. For more information, please
see: http://support.microsoft.com/kb/240797
– — Disclosure Timeline:
2011-04-01 – Vulnerability reported to vendor
2012-01-12 – 0Day advisory released in accordance with the ZDI 180 day
deadline policy
– — Credit:
This vulnerability was discovered by:
* Andrea Micalizzi aka rgod
– — About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
KrowTen Security 