Casa » Como remover » adware » Los investigadores encontraron fallo peligroso de los productos de McAfee antivirus

Los investigadores encontraron fallo peligroso de los productos de McAfee antivirus

especialistas SafeBreach descubrieron un error peligroso de los productos antivirus de McAfee. La vulnerabilidad CVE-2019-3648 afecta a McAfee Total Protection (MTP), McAfee Anti-Virus Plus (AVP), y McAfee Internet Security (¿QUÉ) Las soluciones de seguridad.

La causa del problema es que los productos de McAfee están tratando de cargar el archivo DLL (wbemcomn.dll) utilizando la ruta de archivo incorrecto.

“En nuestra exploración, we found that multiple services of the McAfee software which run as signed processes and as NT AUTHORITY\ SYSTEM try to load c:\Windows\System32\wbem\wbemcomn.dll, which cannot be found (since it is actually located in System32 and not in the System32\Wbem folder)”, – escribir especialistas SafeBreach.

Como resultado, the attacker gets the opportunity to create his own malicious version of wbemcomn.dll, place it in a directory where the antivirus is trying to detect the file, which will ultimately lead to the file downloading and its launch without any checks.

leer también: Nombrados tres productores estadounidenses antivirus, hackeado por banda Fxmsp

To exploit the vulnerability, attacker will need administrator rights. If this condition has been met, the bug allows bypassing the protective mechanisms of McAfee antivirus products and load unsigned DLLs into various services working with NT AUTHORITY\SYSTEM rights.

“We suspected that a vulnerability could be exploited if we could load an arbitrary unsigned DLL into these processes. This would enable us to bypass the self-defense mechanism of the antivirus software, mainly because the folders of the McAfee software are protected by a mini-filter filesystem driver, which restricts writing operations even by an Administrator”, – explain SafeBreach researchers.

This ability might be abused by an attacker for different purposes such as execution and evasion, por ejemplo: Application Whitelisting Bypass.

LEER  ¿Cómo eliminar Great-news11.club Mostrar notificaciones

It will also provide the attacker with a stable presence in the system, because malicious code from the DLL will be executed with every restart of the services.

Researchers told McAfee specialists about the problem back in August of this year, and by now the vulnerability has already been fixed. Users of vulnerable products are advised to upgrade to version 16.0.R22 Refresh 1.

[Total:0    Promedio:0/5]

Acerca de Trojan Killer

Trojan Killer llevar portátil en su dispositivo de memoria. Asegúrese de que usted es capaz de ayudar a su PC resistir cualquier amenaza cibernética donde quiera que vaya.

también puedes ver

¿Cómo eliminar las notificaciones Trynoti.com

Los Trynoti.com pop-ups son un ataque de ingeniería social que los intentos de engañar en suscripción …

Cómo evitar los anuncios pop-up Riateunfairway.info

Los Riateunfairway.info pop-ups son un ataque de ingeniería social que intenta engañar en suscripción …

Deja una respuesta