Vulnerabilities / Threats
1/19/2012
02:54 PM
Connect Directly
RSS
E-Mail
50%
50%

McAfee SaaS Antivirus Spews Spam

Spammers are actively exploiting a hole in the antivirus software to create spam relays; McAfee says patch is forthcoming.

Spammers have been exploiting a bug in McAfee's software-as-a-service (SaaS) antivirus software to turn PCs into spam relays. As a result, a number of McAfee's customers have had their emails blocked after their Internet protocol (IP) addresses were blacklisted by anti-spam services.

David Marcus, director of security research for McAfee Labs, posted a blog Wednesday detailing the two bugs being exploited to relay spam. Both bugs are in one of its products: McAfee SaaS Endpoint Protection Suite, formerly known as SaaS for Total Protection, which is a hosted anti-malware service.

McAfee, which is owned by Intel, has been actively developing and testing a patch for both bugs, which it plans to make live by Thursday. "Because this is a managed product, all affected customers will automatically receive the patch when it is released," said Marcus.

[ Security threats are running high. See Facebook Users Hit By Money-Grubbing Malware. ]

Until the patch is ready, there are "mitigating factors already in place that reduce risk" for customers, according to Marcus. In addition, he said there was "no evidence of loss or compromise of any customer data in relation to either of these issues." But network managers who want to be extra safe can proactively disable the Rumor or McAfee Peer Distribution Service, and set external firewalls to block incoming requests to port 6515. (The Kaamar.com website contains detailed instructions for doing this.)

One of the SaaS Endpoint Protection Suite bugs involves an ActiveX control, which an attacker could misuse to execute arbitrary code. Marcus said that a patch it put in place in August 2011, to address a similar issue, had prevented attackers from exploiting the new vulnerability to access customer data.

The second bug involves McAfee's "Rumor technology", which uses peer-to-peer networking to distribute security updates inside a network. Due to the bug, attackers can use machines that run the SaaS Endpoint Protection Suite as open relays for sending large amounts of spam.

"Although this issue can allow the relaying of spam, it does not give access to the data on an affected machine," said Marcus. He said McAfee's forthcoming patch will block the spam-relaying capability.

Two McAfee SaaS Endpoint Protection Suite customers, Keith and Annabel Morgan, posted a blog Monday saying that they'd had emails blacklisted by spam services, since the IP addresses on which they host their own servers were the same ones exploited by spammers via the spam-relay hole in the McAfee product. "We found our IP addresses ... on several public blacklists that had detected the spamming activity passing through our open proxy during the few days it was open."

The couple said they first detected the problem on January 4, when an email was returned, undelivered, with a notice that all email from their IP was being blocked to protect people from spam. By the next day, they said, they'd disabled the Rumor technology and halted the spam relaying. "But [we] received a traffic data limit warning from our ISP that we were approaching our whole month's traffic in only a few days," they said. "At peak we had the equivalent of 10 months of our normal traffic in one day."

IT's spending as much as ever on disaster recovery, despite advances in virtualization and cloud techniques. It's time to break free. Download our Disaster Recovery Disaster supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
1/22/2012 | 6:24:46 PM
re: McAfee SaaS Antivirus Spews Spam
The update for both these issues was released Thursday, and the issue should now be patched.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Sandman366
50%
50%
Sandman366,
User Rank: Apprentice
1/20/2012 | 5:09:32 PM
re: McAfee SaaS Antivirus Spews Spam
Antivirus makes user's problems grow! (Via exploit)
Lol.
clarise12
50%
50%
clarise12,
User Rank: Apprentice
1/20/2012 | 6:08:39 AM
re: McAfee SaaS Antivirus Spews Spam
Spammers are actively exploiting a hole in the antivirus software to create spam relays.IT's spending as much as ever on disaster recovery, despite advances in virtualization and cloud techniques.
joes12
50%
50%
joes12,
User Rank: Apprentice
1/20/2012 | 5:27:51 AM
re: McAfee SaaS Antivirus Spews Spam
And also customers should be aware that McAfee released a patch last August that effectively made the vulnerability inaccessible.

Source: The Inquirer (http://s.tt/15izH)
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.