Last Modified: 10/03/2013
|Who Should Read This Document:||Technical and Security Personnel|
|Impact of Vulnerability:||Privilege Escalation|
|US CERT Number:||None|
|Overall CVSS Score:||6.4|
|Recommendations:||Run McAfee Virtual Technician (MVT). MVT auto-updates itself to the latest version at the beginning of every run. This is not user configurable.|
|Security Bulletin Replacement:||None|
|Affected Software:|| |
MVT 18.104.22.1681 (and earlier)
|Location of Updated Software:||http://mvt.mcafee.com/mvt|
MVT can be downloaded from multiple locations. The primary download location is: http://mvt.mcafee.com/mvt
MVT 6.5 and earlier contain a vulnerability where the Save() function could be used to cause an escalation of privileges. This issue mainly affects Consumer users, but can also affects Enterprise users who use MVT or have deployed ePO-MVT to systems in their environments for diagnostic purposes. MVT is not tied to a particular McAfee product. Any system could have MVT installed; potentially even systems that do not have McAfee products currently installed.
All of these issues are resolved in MVT 7.1, which was released on March 15, 2013. MVT now validates the caller to check if it is McAfee signed. If it is not signed, MVT does not grant any access on its files.
Additionally, see SB10028 (McAfee Security Bulletin - Vulnerability in MVT & ePO-MVT) published May 04, 2012.
For MVT Users:
Customers can access MVT in their Programs menu to run MVT and be automatically updated to the latest version. If MVT was previously uninstalled, access the McAfee website at http://mvt.mcafee.com/mvt to run MVT and install the updated tool.
MVT download Instructions:
- Launch a web browser and navigate to:
- Download and run the MVTInstaller.
- Launch MVT application and follow onscreen instructions.
For ePO-MVT Users:
McAfee ePO-MVT 1.1.0 is now available for download. This version resolves the vulnerability.
To download ePO-MVT 1.1.0, go to the ePO-MVT download site at:
This security bulletin was written by Harold Toomey, Principal Product Security Architect, Product Security Group, McAfee, Inc.
Frequently Asked Questions (FAQs)
What is affected by this security vulnerability?
All McAfee customers using MVT 22.214.171.1241 (and earlier).
McAfee recommends that all customers verify that they have applied the latest updates.
NOTE: MVT Version 7.1 is not vulnerable.
Does this vulnerability affect McAfee enterprise products?
Yes, MVT is used by both consumer and enterprise users. A version of MVT (ePO-MVT) is available for deployment through ePO.
How do I know if my MVT is vulnerable or not?
- Go to your Microsoft Windows Control Panel and click Add and Remove Programs.
- The product version is displayed in the far right column.
- Check the version and build of ePO that is installed. For more information on how to check the version, see: KB52634.
- Create a query in ePO for the product version of the MVT product installed within the organization.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website at: http://www.first.org/cvss/
What are the CVSS scoring metrics that have been used?
|Related exploit range (AccessVector)||Network|
|Attack complexity (AccessComplexity)||Medium|
|Level of authentication needed (Authentication)||Single Instance|
|Availability of exploit (Exploitability)||Proof of concept code|
|Type of fix available (RemediationLevel)||Official fix|
|Level of verification that vulnerability exists (ReportConfidence)||Confirmed|
NOTE: CVSS version 2.0 was used to generate this score.
What has McAfee done to resolve the issue?
McAfee has released an update to address this security flaw.
Where do I download the fix?
The fix can be downloaded from: The fix can be downloaded from:
- http://mvt.mcafee.com/mvt/en-us/default.html?en-us (English)
- http://www.mcafee.com/us/downloads/free-tools/virtual-technician.aspx (English)
- http://www.mcafee.com/it/downloads/free-tools/virtual-technician.aspx (Italian)
How does McAfee respond to this and any other security flaws?
McAfee’s key priority is the security of our customers. In the event that a vulnerability is found within any of McAfee’s software, we work closely with the relevant security research group to ensure rapid and effective development of a fix and communication plan. McAfee is an active member of the Organization for Internet Safety (OIS), which is dedicated to developing guidelines and best practices for the reporting and fixing of software vulnerabilities.
McAfee only publishes product vulnerability bulletins together with an actionable workaround, patch, or hotfix; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk.
To download new Beta software or to read about the latest Beta information, go to: http://www.mcafee.com/us/downloads/beta-programs/index.aspx
To submit Beta feedback on any McAfee product, email: email@example.com
For contact information, go to: http://www.mcafee.com/uk/about/contact-us.aspx
For copyright, trademark attributions, and license information, go to: http://us.mcafee.com/root/aboutUs.asp?id=copyright
For patents protecting this product, see your product documentation.