Article 4VKEB Symantec, McAfee Patch Privilege Escalation Bugs

Symantec, McAfee Patch Privilege Escalation Bugs

by
Fnord666
from SoylentNews on (#4VKEB)

upstart writes:

Submitted via IRC for SoyCow1337

Symantec, McAfee Patch Privilege Escalation Bugs

All versions of endpoint protection software from both vendors were susceptible to near identical issue, SafeBreach says.

Symantec and McAfee have patched a near identical vulnerability in their respective endpoint protection software that would have made it easier for attackers with prior admin access to a system to create more damage.

In both instances, the flaws were reported by security vendor SafeBreach and stemmed from a lack of signature validation when code was being loaded into certain processes of the respective vendor software.

SafeBreach's analysis shows multiple signed processes in McAfee's endpoint protection software and one service in Symantec's equivalent products attempting to load a dynamic-link library (DLL) from a path that didn't exist.

SafeBreach researchers developed a proof-of-concept exploit showing how an attacker could have exploited that issue to bypass self-defense mechanisms and load an arbitrary, unsigned DLL into processes running in each vendor's products.

All versions of Symantec Endpoint Protection prior to the just-patched 14.2 RU2 were vulnerable. All versions of McAfee's Total Protection (MTP), Anti-Virus Plus (AVP), and Internet Security (MIS) up to and including version 16.0.R22 were vulnerable. Both vendors have patched the issue.

Peleg Hadar, security researcher at SafeBreach, says the now-patched vulnerability in the McAfee and Symantec products provided attackers with a persistence mechanism for deploying malware on endpoint systems.

An attacker also would have been able to operate under the context and behalf of the antivirus process on compromised endpoint systems, he says. Multiple parts of both Symantec's and McAfee's vulnerable endpoint protection software run as a Windows service with the highest-level privileges on the system.

By exploiting the flaw, an attacker could have potentially bypassed each vendor's security controls and that of any other endpoint protection software that might be installed on the same system. Normally, even an attacker with admin access on a system wouldn't be able to implant malware in the antivirus directory.

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments