A security research firm said Wednesday that McAfee's anti-virus line is vulnerable to attack, the second such warning issued about anti-virus software in two days.
Reston, Va.-based iDefense said that a flaw within a DLL used by a number of McAfee products could be exploited by attackers to write data to the victimized PC. In other words, the very software that was supposed to protect a PC could be turned against its user.
"There is some irony there," said Michael Sutton, the director of iDefense Labs.
This is the second vulnerability in anti-virus (AV) software made public in the last two days. On Tuesday, an independent researcher released information about a bug in Symantec's AV product line.
"This is relatively easy to exploit," said Sutton. "It takes some degree of social engineering -- the attacker would have to draw people to a malicious Web site -- but after that, there's no further intervention required. An attacker could leverage this to write to a file on the hard drive. And once you can write to a person's machine, you have full control."
Unlike the Symantec bug, the one in McAfee's AV software revolves around an ActiveX control responsible for writing to log files. ActiveX, a Microsoft invention, has been sited numerous times as the root of vulnerabilities, though usually they’re related to Internet Explorer, the Redmond, Wash.-based developer's popular browser.
According to Secunia, a Danish vulnerability tracker, McAfee's Security Center, VirusScan, and VirusScan Professional all include the flawed DLL, and so are at risk. Secunia ranked the threat as "Highly critical."
On Wednesday, McAfee issued a statement saying that the flaw had been fixed and updates automatically pushed out to users.
"McAfee previously released updates that resolve this issue. All active McAfee users, by default, should have automatically received the update, and will now have the fix for this vulnerability already installed on their computers," the company said.
"A DLL is canned functionality, so if you include a vulnerable DLL in an application, that application is by default vulnerable," said Sutton, who noted that bugs in Trend Micro's security software disclosed by iDefense last week were also DLL related. In Trend Micro's case, the DLL was a Microsoft-made library that had been updated three years before. Trend, however, neglected to refresh the DLL before using it within its programs.
"There's always code reuse in development, which is a good thing. No one writes an entire application from scratch," said Sutton. "But if you're using someone else's code, you're relying on the security of that code. Developers need to apply the same level of security testing to those shared pieces as they do to their own code."
Security software has taken a public relations beating during 2005, as most notable vendors have had to issue patches and updates to fix flaws uncovered by a number of researchers. Earlier in 2005, the discoverer of Tuesday's Symantec bug publicized a number of vulnerabilities in anti-virus software from vendors including F-Secure, Kaspersky Labs, McAfee, and Trend Micro.
iDefense, meanwhile, has listed vulnerabilities in security software from companies such as Computer Associates, Kaspersky, McAfee, Sophos, Symantec, and Zone Alarm in 2005.
"There are definite trends in security research," Sutton explained. "One researcher will find a vulnerability in a particular class of products or find a new type of vulnerability. Then everyone rushes to it, and it becomes low hanging fruit.
"But it's a good thing, because these products are now getting patched," he said