Slashdot Mirror
McAfee Quietly Fixes Software Flaw
Chris Reimer writes "The San Jose Mercury News is reporting that McAfee fixed a serious design flaw months ago in their enterprise product without notifying businesses and U.S. government agencies until today." From the article: "McAfee said its own engineers first discovered the flaw, which lets attackers seize control of computers to steal sensitive data, delete files or implant malicious programs. McAfee produced a software update in February but described it only as offering new feature enhancements. Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems."
There's bugs in software? And they were covertly fixed? Never!
___
I'm an exhibit on the mounted animal nature trail.
I'm gunna have to call FUD on this one... The news report is inaccurate - McAfee clearly acknowledges eEye Digital as discovering the claim, not their own engineers as the article states.
? cmd=displayKC&docType=kc&externalId=9925498&sliceI d=SAL_Public
. html and go to "Corporate Technical Support". You will see the bulletin on the left-hand side under "Announcements."
>
Link to McAfee knowledgebase article: http://knowledge.mcafee.com/SupportSite/search.do
Copy of message sent by McAfee:
> On July 5th, McAfee, Inc. was notified of a security vulnerability, by a private security vendor, that could affect McAfee ePolicy Orchestrator (ePO) Common Management Agent 3.5, and earlier versions. In order to accomplish this exploit, an attacker would need network access to the client machine and would then need to construct a message consisting of proprietary information. The attack is quite complicated and requires several steps of reverse engineering of the software as well as the communication protocols. > > McAfee> '> s key priority is the security of its customers and it takes the quality of its software very seriously. McAfee has been extremely proactive in this area and has a dedicated team run by a leading industry expert that pushes tools and knowledge throughout the product development organization. As a result, the company has a good track record on security. Nonetheless, software can be incredibly complex. > > In the event that a vulnerability is found within any of McAfee> '> s software, there is a strong process in place to work closely with the relevant security research group to ensure the rapid and effective development of a fix and communication plan. McAfee is therefore alerting its customers of the security flaw. > > McAfee apologizes for any unintended impact to customers as a result of this published vulnerability. We know that our ability to protect customers quickly in the event of an outbreak depends largely on your confidence in our work. We are determined to earn that trust every day and will do everything in our control to mitigate this problem now and in the future. > > For more information on this security vulnerability, please visit http://www.mcafee.com/us/support/default.asp . If that link does not work, then click here: http://www.mcafee.com/us/enterprise/support/index
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
....... As I am sure that software vendors who do regular updates (in other words MOST if not ALL of them) quietly fix stuff that they perceive to be bad (as in "this could keep people from buying our stuff" bad). It's not in their interest to make noise about it.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
Good for McAfee fixing their software flaws quietly. I mean, they shouldn't be such braggarts about it.
The irony of this is, if you made the decision to run Mcafee corporate AV products, you have demonstrated that you do not possess the level of intelligence to comprehend concepts like "introducing new problems". In a decade as an engineer/administrator I have yet to encounter a less user-friendly, more bewildering and functionally inept product. The sheer lack of elegance in the ePO server interface should tip anyone off that this is not ready for prime time. How it gets chosen over Trend-micro and Norton's (Corporate) products, or even finds it's way into the competition is something I have yet to discover.
To anyone that has had the misfortune of being an ePO administrator, none of this news would come as a surprise. Personally, I removed the product from my resume simply because it's presence at a company seems to predicate larger problems, and the only work I ever want to do with it again is replacing it.
Which will make customers more unhappy? Notifying users of an issue and presenting a fix or hiding an issue and surreptitiously issuing a fix hidden in an upgrade? Situations like this cause customers to lose trust and once it is lost it is very difficult to earn back.
I reserve the right to think for myself. Others' opinions are optional. Puppy on lap = typos...not illiteracy.
Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems.
For that matter, many home users are starting to feel the same way.
(This paranoia has been brought to you by the letters W, G, and A.)
Aside from this specific instance of a security vulnerability in McAfee products, seriously. McAfee *was* a decent product. In, say, 1993. For DOS. Because it was just about the only antivirus protection you could get at the time.
Now, you have *many* choices. I don't see why you would ever want to choose a McAfee product as any level of protection (be it firewall, antivirus, anti-spam, or whatever) - it's just that the software has evolved into this huge monolithic POS that crashes your system, slows it down ungodly, bugs you like a Japanese whore (OMGLOLIBLOCKEDAHAX0R!) and, I don't have much doubt at all that it corrupts your system far beyond what's been reported before, just out of pure experience with anomolies on customers' computers with it installed.
AVG. Seriously, it's much simpler, faster, and *just*doesn't*mess*with* Windows like McAfee does.
It is pitch black. You are likely to be eaten by a grue.
they both produce an antivirus solution which annoys me with their anal-retentiveness. Since joining my current company, I discovered they used NOD32 - as soon as I installed it, I never ever wanted to go back to either McAfee or Symantec. I ditched McAfee about 6-7 years ago, and Symantec as of a year or so ago. Couldn't be happier. NOD32 is the most unobtrusive antivirus I've ever had. Ditch McAfee and/or Symantec, get NOD32 (or something better if it exists). Give the underdog a chance.
'A lie if repeated often enough, becomes the truth.' - Goebbels
So what that means is that McAfee issued a feature update in January. eEye alerted them to a flaw in July - said flaw exists in systems that do not have the January feature update applied.
If the above is correct, and it would seem to be, McAfee did nothing wrong at all.
Web 2.0 == Giant Blogspam Circle Jerk
Which will make customers more unhappy? Notifying users of an issue and presenting a fix or hiding an issue and surreptitiously issuing a fix hidden in an upgrade? Situations like this cause customers to lose trust and once it is lost it is very difficult to earn back.
You're forgetting the third group: people who are glad they fixed it, and who are also glad that they minimized the vulnerability's exposure to the wider Guild Of Naughty People.
Don't disappoint your bird dog. Go to the range.
still warns a logged in user that McAfee had previously downloaded
the latest updates, but requires that an administrator be logged in.
As opposed to some other companies that are very loud about their attempts to fix their software
- Tash
Vrooommm...
Don't you just love when chemo comes along to help cure cancers that didn't exist before chemo?
I use a web-subscription version. I finally decided to Scan something on demand and got scripting errors from internet explorer. So I followed their help link to check how to fix the problem. No lie, here, McAfee said in order to use VirusScan, I have to Set internet security to medium or low, allow unsigned ActiveX controls to install and run automatically. NO THANK YOU. I'm getting Symantec AV.
McAfee is possibly my least favorite piece of software - not only does it do it's job badly & slow down everything but it doesn't uninstall even vaguely properly.
It can be a heck of a fight to actually get rid of it - see http://www.myfixes.com/articles/mcrem for details on how to root it out.
Removing over 100 spyware progs from my friends poor PC gave less of a speedup than finally removing McAfee! Get AVG or NOD32 for antivrus, Zonealarm for firewall and Adaware SE, Spybot S & D and Spywareblaster for antispyware. Try HijackThis and SysInternals stuff if you really want to know whats happening on your Windows Installation.
Or just get Ubuntu or PClinuxOS already...
Imagine malware akin to the Word/Excel/Powerpoint exploits that entertained us the last 3 months (accurately released right after the MS patchday), but targeting a buffer overflow in an AV product. The results would be devastating. EVERYONE who uses that AV software WILL be infected. Not can, but WILL.
On-access scanners, which pretty much every AV soft uses, will scan the file as soon as you open it. If a buffer overflow is crafted (to, say, use a flaw in the scanners static unpacking algo for UPX), your AV soft will actually run the viral code.
This can happen. And it will. It's a matter of time. I'm quite sure the malware writers are already poking at the scanners of McAfee, Kaspersky, Symantec etc. to find useable overflows.
I think the future of AV soft is in servers, not client products. The future is in secure, chroot'ed scanning environments that examine the passing traffic, which, in turn, are constantly scanned from a second scanner outside that chroot environment, checking the integrity of the scanning subsystem inside the chroot.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
McAfee Quietly Fixes Software Flaw
It's not so quiet now, is it?
oh I do like it when everyone shouts about stuff they do not understand.
If you really look into the actual fix you will discover it only relates to an old version of the ePo agent and not the core antivirus product.
2ndly, out of the box the AV product has a lot of options switched on which may slow down older PCs with certain configurations. It calls for some analysis and tuning on your part but you can get World Class Virus/Worm/Malware protection without compromising your PCs speed. Before trumpeting that such and such a vendor's product is better because it doesn't slow your PC down, please make sure you read the comparative studies to see why that may be.
McAffee never was worth using anyway. I mean given it couldn't find a virus with a guide and a map, who'd notice if it was broke?
I don't know why anyone would use it. This is just reason 37 why.
If you feel the need to pay for Antivirus, then get Norton, otherwise use Antivir/SpyBot S&D/SpyWare Blaster.
Tachyon