Security vendor McAfee, which is now owned by Intel, is rolling out a patch for three flaws in its Endpoint Protection Software as a Service offering. All three flaws are in ActiveX controls. One tricks the control into executing commands supplied by an attacker, the second lets attackers write to files on disk and the third lets attackers execute code with user privileges, McAfee said. The first two flaws were patched back in August, and it’s the third that created headlines earlier this week when it was found it let attackers essentially hijack victims’ PCs and use them to relay spam.
Please note that the spamming problem required no user action, and was due to a separate issue with the Rumor service as notified in McAfee Security Bulletin SB10018. For full details see the Kaamar Blog http://kaamar.com/blog
I thought Active X was always so taboo. Why is a Security company using Active X in its products? Maybe I am missing something but I have not heard of anybody else using active X. Or maybe they just have better security? Seems to me this is like having a guard at your door but the door has no lock.
McAfee Supplies Antidote for Tainted SaaS Security
Posted by: Richard Adhikari January 21, 2012 07:00 AMSecurity vendor McAfee, which is now owned by Intel, is rolling out a patch for three flaws in its Endpoint Protection Software as a Service offering. All three flaws are in ActiveX controls. One tricks the control into executing commands supplied by an attacker, the second lets attackers write to files on disk and the third lets attackers execute code with user privileges, McAfee said. The first two flaws were patched back in August, and it’s the third that created headlines earlier this week when it was found it let attackers essentially hijack victims’ PCs and use them to relay spam.