From the linked blog...
'Until recently, True Key was bundled with Adobe Flash and required users to opt-out during installation.'
A plague o' both your houses!
A privilege escalation flaw in McAfee's True Key software remains open to exploitation despite multiple attempts to patch it. This according to researchers with security shop Exodus Intel, who claim that CVE-2018-6661 was not fully addressed with either of the two patches McAfee released for it. The flaw is an elevation of …
is still not a good thing, even if your platform suffers a great deal less from direct attack.
A plague on your AC shop wherever you are, and thanks for the chance to troll the troll :)
The fact a browser extension is a good idea as a workaround also does not sit well with me.
McAfee True Key is not an AV product. At no point in the article is one mentioned directly. The only indirect reference to one might be the bit that says "...any other McAfee signed binary can be used to exploit the vulnerability as long as the binary depends on a DLL outside the list of known DLLs."
“It was found that one of the True Key Service binaries loads a McAfee dynamic library in an insecure manner. An adversary could carefully craft an exploit to launch an Elevation of Privilege attack.” ref
How about designing the DLL loading routine to, by default, not allow unsigned DLL loading, that way any defect in the application would be rendered fail-safe. Presumably this flaw in the DLL side-loading mechanism can be exploited by any malicous application.
Biting the hand that feeds IT © 1998–2019