Home » How to remove » Adware » Researchers found dangerous bug in McAfee antivirus products

Researchers found dangerous bug in McAfee antivirus products

SafeBreach specialists discovered a dangerous bug in McAfee antivirus products. The vulnerability CVE-2019-3648 affects McAfee Total Protection (MTP), McAfee Anti-Virus Plus (AVP), and McAfee Internet Security (MIS) security solutions.

The cause of the problem is that McAfee products are trying to load the DLL file (wbemcomn.dll) using the wrong file path.

“In our exploration, we found that multiple services of the McAfee software which run as signed processes and as NT AUTHORITY\ SYSTEM try to load c:\Windows\System32\wbem\wbemcomn.dll, which cannot be found (since it is actually located in System32 and not in the System32\Wbem folder)”, – write SafeBreach specialists.

As a result, the attacker gets the opportunity to create his own malicious version of wbemcomn.dll, place it in a directory where the antivirus is trying to detect the file, which will ultimately lead to the file downloading and its launch without any checks.

Read also: Named three American antivirus producers, hacked by Fxmsp band

To exploit the vulnerability, attacker will need administrator rights. If this condition has been met, the bug allows bypassing the protective mechanisms of McAfee antivirus products and load unsigned DLLs into various services working with NT AUTHORITY\SYSTEM rights.

“We suspected that a vulnerability could be exploited if we could load an arbitrary unsigned DLL into these processes. This would enable us to bypass the self-defense mechanism of the antivirus software, mainly because the folders of the McAfee software are protected by a mini-filter filesystem driver, which restricts writing operations even by an Administrator”, – explain SafeBreach researchers.

This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass.

READ  How to remove Pcmban.com casino site ads?

It will also provide the attacker with a stable presence in the system, because malicious code from the DLL will be executed with every restart of the services.

Researchers told McAfee specialists about the problem back in August of this year, and by now the vulnerability has already been fixed. Users of vulnerable products are advised to upgrade to version 16.0.R22 Refresh 1.

[Total: 0    Average: 0/5]

About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

How to remove Betchan19.com casino site ads?

This tutorial clarifies how to block Betchan19.com online casino ads in your internet browser. The …

How to block Nodepositcasino.net online casino ads?

This tutorial discusses how to remove Nodepositcasino.net online casino site pop-ups in your web browser. …

Leave a Reply