Bug Bites McAfee Antivirus

Reston, Va.-based iDefense said that a flaw within a DLL used by a number of McAfee products could be exploited by attackers to write data to the victimized PC. In other words, the very software that was supposed to protect a PC could be turned against its user.

"There is some irony there," said Michael Sutton, the director of iDefense Labs.

This is the second vulnerability in anti-virus (AV) software made public in the last two days. On Tuesday, an independent researcher released information about a bug in Symantec's AV product line.

"This is relatively easy to exploit," said Sutton. "It takes some degree of social engineering -- the attacker would have to draw people to a malicious Web site -- but after that, there's no further intervention required. An attacker could leverage this to write to a file on the hard drive. And once you can write to a person's machine, you have full control."

Unlike the Symantec bug, the one in McAfee's AV software revolves around an ActiveX control responsible for writing to log files. ActiveX, a Microsoft invention, has been sited numerous times as the root of vulnerabilities, though usually they’re related to Internet Explorer, the Redmond, Wash.-based developer's popular browser.

According to Secunia, a Danish vulnerability tracker, McAfee's Security Center, VirusScan, and VirusScan Professional all include the flawed DLL, and so are at risk. Secunia ranked the threat as "Highly critical."

On Wednesday, McAfee issued a statement saying that the flaw had been fixed and updates automatically pushed out to users.