Security Experts:

Spammers Abuse Vulnerability in McAfee SaaS Total Protection Suite

Security vendor McAfee issued a patch on Thursday to address a problem impacting its SaaS Total Protection service, including a bug that allows attackers to turn a computer into a relay point for spam.

The Intel-owned company’s SaaS Total Protection is an integrated suite of software-as-a-service (SaaS) offerings that includes Web filtering, antivirus and anti-spam capabilities. However, early this week users began complaining of a problem in the service’s ‘Rumor Technology,’ which uses file-sharing intelligence to distribute security updates within a network.

The idea behind Rumor is to enable McAfee McAfee SaaS Endpoint Protection installed agents to share anti-virus, anti-spyware and firewall product updates and upgrades with one another across a local area network, thereby saving bandwidth and management time.

However, users complained that service providers were blocking their IP address after noticing an increase in spam coming from their machines. Keith and Annabel Morrigan of British art company Kaamar warned in a blog post Monday that the issue turned affected computers into “open proxies” and that spammers were abusing port 6515.

“This means that your IP address can be used by anyone to bounce messages and spam on to other sites, as if coming from your address,” they wrote.

Though the vulnerability in the Rumor technology enables an attacker to use the machine as an “open relay,” it does not give the attacker access to data on the computer, Dave Marcus, director of security research for McAfee Labs, wrote in a blog post.

The other issue involved the abuse of an ActiveX control to execute code.

“(This) issue has much in common with a similar issue patched in August 2011,” Marcus explained. “In fact, the patch delivered then basically cuts off the exploitation path for this issue, effectively reducing the risk to zero. Because of this, customer data is not directly at risk.”

McAfee customers using SaaS Total Protection will automatically receive the updates.

(Updated 3:05PM EST to Reflect the being being rolled out)

Subscribe to the SecurityWeek Email Briefing
view counter