Symantec and McAfee have patched a near identical vulnerability in their respective endpoint protection software that would have made it easier for attackers with prior admin access to a system to create more damage.
In both instances, the flaws were reported by security vendor SafeBreach and stemmed from a lack of signature validation when code was being loaded into certain processes of the respective vendor software.
SafeBreach's analysis shows multiple signed processes in McAfee's endpoint protection software and one service in Symantec's equivalent products attempting to load a dynamic-link library (DLL) from a path that didn't exist.
SafeBreach researchers developed a proof-of-concept exploit showing how an attacker could have exploited that issue to bypass self-defense mechanisms and load an arbitrary, unsigned DLL into processes running in each vendor's products.
All versions of Symantec Endpoint Protection prior to the just-patched 14.2 RU2 were vulnerable. All versions of McAfee's Total Protection (MTP), Anti-Virus Plus (AVP), and Internet Security (MIS) up to and including version 16.0.R22 were vulnerable. Both vendors have patched the issue.
Peleg Hadar, security researcher at SafeBreach, says the now-patched vulnerability in the McAfee and Symantec products provided attackers with a persistence mechanism for deploying malware on endpoint systems.
An attacker also would have been able to operate under the context and behalf of the antivirus process on compromised endpoint systems, he says. Multiple parts of both Symantec's and McAfee's vulnerable endpoint protection software run as a Windows service with the highest-level privileges on the system.
By e ..