Researcher Uncovers McAfee Antivirus Vulnerability For Macs

The vulnerability affects McAfee Virex 7.7 and stems from a feature that allows users to earmark files to be skipped during scans. The insecure default permissions of the configuration file that controls the feature enables any user to modify or delete it, opening the door for attackers to create arbitrary files with escalated privileges, according to an advisory issued last week by security research firm Netragard.

In a security bulletin issued earlier this month, McAfee said an attacker would have to be logged in to the system to take advantage and would only be able to execute commands with the privileges of the user running Virex 7.7.

However, one thing the McAfee advisory didn't emphasize is that although the code is executed as the user identifier running the VirusScan engine, the default user identifier is root, according to Kevin Finisterre, a security researcher at Netragard Research and a co-organizer of the January Month of Apple Bugs.

The bug is nothing more than a classic world writable file that can be used in a symlink attack, Finisterre said in an e-mail interview with CRN. "Both the symlink and world writable file attacks are very old-school. One results in a complete bypass in the scanning engine, and the other results in a root prompt. So both are pretty serious," he said.

McAfee, which pushed the fix to all live update servers on Feb. 12, rated the severity of the vulnerability as "low", and Secunia gave it a "less critical" rating. However, Symantec rated its severity as 7.5 on a 10-point scale.

Finisterre said he has also cracked Norton Antivirus for Mac three times in the past couple of years, as well as offerings from Intego and ClamAV. "Although some folks argue that antivirus on a Mac isn't necessary, it's quite funny to think that even the vendors of Mac antivirus seem to be neglecting things," he said.