back to article When is a patch not a patch? When it's for this McAfee password bug

A privilege escalation flaw in McAfee's True Key software remains open to exploitation despite multiple attempts to patch it. This according to researchers with security shop Exodus Intel, who claim that CVE-2018-6661 was not fully addressed with either of the two patches McAfee released for it. The flaw is an elevation of …

  1. Keef

    From the linked blog...

    'Until recently, True Key was bundled with Adobe Flash and required users to opt-out during installation.'

    A plague o' both your houses!

  2. Pliny the Whiner

    WARNING: Hair In Mirror Is Blonder Than It Appears

    The ultimate "mitigation guidance," of course, is to not use McAfee products. Ever.

  3. Anonymous Coward
    Anonymous Coward

    It's 2018...

    And people are still using McAfee!

    1. ratfox Silver badge

      Re: It's 2018...

      Yeah, that was my reaction as well. I can't remember the last time I saw it installed anywhere.

      1. MiguelC Silver badge

        Re: It's 2018...

        We've got it at work... a true cpu and memory hog

  4. Anonymous Coward
    Linux

    Woah! Anti-virus??

    That's a blast from the past!

    1. Giovani Tapini

      Harbouring and propagating malware

      is still not a good thing, even if your platform suffers a great deal less from direct attack.

      A plague on your AC shop wherever you are, and thanks for the chance to troll the troll :)

      The fact a browser extension is a good idea as a workaround also does not sit well with me.

    2. Robert Helpmann?? Silver badge
      Childcatcher

      TL;DR?

      Woah! Anti-virus??

      McAfee True Key is not an AV product. At no point in the article is one mentioned directly. The only indirect reference to one might be the bit that says "...any other McAfee signed binary can be used to exploit the vulnerability as long as the binary depends on a DLL outside the list of known DLLs."

  5. PeterM42
    Pirate

    I always refer to it as.........

    McCRAPAFee.

    1. Captain Badmouth

      Re: I always refer to it as.........

      McCRAPAFee.

      In which case you should use the trouser extension...

  6. Anonymous Coward
    Terminator

    Unsigned DLL side-loading vulnerability?

    It was found that one of the True Key Service binaries loads a McAfee dynamic library in an insecure manner. An adversary could carefully craft an exploit to launch an Elevation of Privilege attack.” ref

    How about designing the DLL loading routine to, by default, not allow unsigned DLL loading, that way any defect in the application would be rendered fail-safe. Presumably this flaw in the DLL side-loading mechanism can be exploited by any malicous application.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019