McAfee online scan used plain old HTTP to fetch screen elements

McAfee has moved to patch a bug that falls under the “didn’t you get the memo?” category: among other things, its free Security Scan Plus online tool retrieved information over HTTP – that is, in plain text.

The potential man-in-the-middle vector exists not in the operation of the free online scan, but in the house ads and UI design elements it serves.

A SecuriTeam-penned advisory on the problems notes that the tool “retrieves promotional and UI design information from different mcafee.com domains and displays them to the user, typically in the main application window.”

Since those elements don’t use HTTPS, they can be “trivially modified” by an attacker, who can then exploit the library the tool calls to display HTML content – MCBRWSR2.DLL.

This library exposes the JavaScript LaunchApplication() API, meaning an attacker can run any command they like on the victim.

The insecure elements can be pushed into the online scan’s progress screen, so a user thinks they’re getting the all-clear while they’re being pwned. The image below outlines in red the screen element SecuriTeam’s informant attacked (noting that without an attacker, that element is secured with a valid cert):

If you are in a MITM position, it’s fairly easy to launch commands with the privilege of the logged-in user (which on a home machine is probably the same as the administrator).

1       <script type="text/javascript">
2       window.external.LaunchApplication("c:\\windows\\system32\\calc.exe", "");
3       </script>

The full proof-of-concept needs only 38 lines of code. McAfee acknowledged the issue here, and patched the service in July. ®