Two vulnerabilities were reported in McAfee Security-as-a-Service (SaaS) Endpoint Protection. A remote user can cause arbitrary code to be executed on the target user's system.
Endpoint Protection 5.2.1 and prior versions
McAfee Security Bulletin - McAfee SaaS Endpoint Protection update fixes multiple ActiveX issues.
Two vulnerabilities have been reported in McAfee SaaS Endpoint Protection, which can be exploited by malicious people to compromise a user's system.
1) An error within the MyASUtil ActiveX control (MyAsUtil18.104.22.1683.dll) when processing the "CreateSecureObject()" method can be exploited to inject and execute arbitrary commands.(ZDI-CAN-1104)
2) The insecure "Start()" method within the MyCioScan ActiveX control (myCIOScn.dll) can be exploited to write to arbitrary files in the context of the currently logged-on user.(ZDI-CAN-1105)
These issues both require a target to click on an attacker supplied link or open an attacker supplied file. Both have ActiveX protections that limit where the origination of the request could come from, meaning that an attacker needs to perform a separate attack (known as a XSS) for either of these attacks to work. A remote user can create HTML that, when loaded by the target user, will execute arbitrary code on the target user's system.