McAfee Quietly Fixes Software Flaw

Chris Reimer writes "The San Jose Mercury News is reporting that McAfee fixed a serious design flaw months ago in their enterprise product without notifying businesses and U.S. government agencies until today." From the article: "McAfee said its own engineers first discovered the flaw, which lets attackers seize control of computers to steal sensitive data, delete files or implant malicious programs. McAfee produced a software update in February but described it only as offering new feature enhancements. Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems."

Re:What a shock

[quanticle]

I think the problem is that McAfee mislabeled the patch as "offering new functionality" rather than "fixing design flaw". There are customers who may put off installing patches of the first type while the full consequences of the new functionality are explored, while the second type of patch would get put into production, because of the fact that it fixes a potential security breach.

Fire the PR department

[alshithead]

Which will make customers more unhappy? Notifying users of an issue and presenting a fix or hiding an issue and surreptitiously issuing a fix hidden in an upgrade? Situations like this cause customers to lose trust and once it is lost it is very difficult to earn back.

Oh jeez oh man

[Dachannien]

Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems.

For that matter, many home users are starting to feel the same way.

(This paranoia has been brought to you by the letters W, G, and A.)

Re:I don't know how it's still around...

[rts008]

I agree, McAfee has slipped, as has Norton AV the past several years.

Note to AV vendors: you can't rest on your past laurels, to stay competetive you must move forward and innovate to keep from being dethroned by your "more hungry" competitors.

Past and recent experience has forced me to consider McAfee and Norton as "has beens", and no longer viable contenders. YMMV, but this is the way I see it.

McAfee + Symantec=sucky

[BalkanBoy]

they both produce an antivirus solution which annoys me with their anal-retentiveness. Since joining my current company, I discovered they used NOD32 - as soon as I installed it, I never ever wanted to go back to either McAfee or Symantec. I ditched McAfee about 6-7 years ago, and Symantec as of a year or so ago. Couldn't be happier. NOD32 is the most unobtrusive antivirus I've ever had. Ditch McAfee and/or Symantec, get NOD32 (or something better if it exists). Give the underdog a chance.

Who's right about what happened here?

[MrNougat]

This c|net article says:

McAfee was notified of the flaw by eEye Digital Security on July 5, but at the time had already fixed the flaw in an update to its software that was released in January, Viega said. That update was meant to fine-tune the system, not fix security flaws, he said. The current version of ePO is 3.6, according to McAfee.

"We did not realize that we had fixed a security vulnerability until eEye alerted us to the problem last week," Viega said. "We were optimizing the system, not looking for security vulnerabilities." The optimization included changing from storing data in files to storing it in memory, which removed the flaw, he said.

So what that means is that McAfee issued a feature update in January. eEye alerted them to a flaw in July - said flaw exists in systems that do not have the January feature update applied.

If the above is correct, and it would seem to be, McAfee did nothing wrong at all.

Re:What a shock

[jpvlsmv]

You obviously don't read your EULA. Every single one disclaims all liability and warranty. Or do you know of a single instance where a commercial software company has been sued for a software bug?

--Joe