Jan. 3, 2018: Meltdown and Spectre

A set of three vulnerabilities disclosed by Intel on Jan. 3, 2018, called Meltdown and Spectre, impact McAfee appliance products.

KnowledgeBase Articles:

  • SB10226 – Meltdown/Spectre Security Bulletin
  • KB90167 – Meltdown and Spectre – McAfee Product Compatibility Update (Corporate Products)
  • TS102769 – Microsoft Security Update January 2018 (Meltdown and Spectre) and McAfee consumer products

McAfee Blog Posts:

Dec. 7, 2017: Process Doppelgänging Attack

On Dec. 7, 2017, the vulnerability Process Doppelgänger was described at Black Hat Europe 2017. It is said to bypass anti-malware products protections, including McAfee VirusScan Enterprise (VSE) 8.8, Patch 6 running on Windows Vista. The technique provides a TOCTOU (time of check to time of use) avenue to hide executing code. McAfee knows of no malicious use of Process Doppelgänger technique in the wild at this time.

McAfee is investigating the Process Doppelgänger technique in relation to McAfee endpoint products. McAfee takes any report of new attack techniques seriously. Such reports must be analyzed carefully in light of the many defensive techniques that McAfee products provide.

Nov. 20, 2017: Intel Firmware Vulnerability

On Nov. 20, 2017, a collection of Intel firmware vulnerabilities was reported (INTEL-SA-00086), potentially affecting some McAfee appliances using Intel motherboards. One high severity vulnerability allows a non-administrative user to escalate privileges, while the other allows a privileged user to perform buffer overflows. We understand your concern and are reaching out as your #1 trusted security advisor.

McAfee is researching which of our appliances are impacted and which are not. Our initial analysis is that some McAfee appliances will be affected. However, the mitigation is that most, if not all, appliance products do not allow execution of arbitrary code, which is required to exploit these vulnerabilities.

Nov. 10, 2017: AVGater Vulnerability

On Nov. 10, 2017, a vulnerability called AVGater was reported, affecting some antivirus products. The vulnerability allows a non-administrative user to perform a restore of a quarantined file in a user’s defined location.

At this time, thanks to internal reviews and confirmation from the author of the blog, we know of no McAfee products that are affected with a privilege escalation vulnerability described in the AVGater blog entry that would allow a non-administrative user to perform a restore of a quarantined file in a user’s defined location.

The mechanism that allows users to restore files from quarantine in McAfee products is either locked down by default or is only available to users with administrative privileges, providing an additional layer of protection to our customers.

More analysis is forthcoming.

Mar. 22, 2017: DoubleAgent Attack

Intel Security / McAfee is investigating the impact of the DoubleAgent zero-day attack announced on 22 March 2017.

This injection technique uses a Microsoft Windows feature that requires administrative privileges and impacts all executables on a Microsoft Windows computer.

This attack does not exploit any product vulnerabilities in McAfee products.

Our focus is on the resilience of our products against this attack vector and the self-protection mechanisms inside these products running on Microsoft Windows.

McAfee products running on Microsoft Windows contain a number of detective and protective mechanisms against registry manipulations and memory injection techniques, including injections into McAfee binaries.

For example, our enterprise antivirus product, McAfee Endpoint Security (ENS) 10.5, provides multiple mechanisms designed to detect and prevent a DoubleAgent attack on McAfee processes, including a module sanitization feature that only allows trusted, signed code to be loaded.

We will be updating this article with links to one or more Security Bulletins (SB) as our investigation progresses.