Slashdot Mirror

← Back to Stories (view on slashdot.org)

McAfee Quietly Fixes Software Flaw

Posted by ryuzaki0 on from the a-little-communication-would-be-helpful dept.

Chris Reimer writes "The San Jose Mercury News is reporting that McAfee fixed a serious design flaw months ago in their enterprise product without notifying businesses and U.S. government agencies until today." From the article: "McAfee said its own engineers first discovered the flaw, which lets attackers seize control of computers to steal sensitive data, delete files or implant malicious programs. McAfee produced a software update in February but described it only as offering new feature enhancements. Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems."

3 of 65 comments (clear)

  1. Re:What a shock by quanticle · · Score: 5, Insightful

    I think the problem is that McAfee mislabeled the patch as "offering new functionality" rather than "fixing design flaw". There are customers who may put off installing patches of the first type while the full consequences of the new functionality are explored, while the second type of patch would get put into production, because of the fact that it fixes a potential security breach.

    --
    We all know what to do, but we don't know how to get re-elected once we have done it
  2. Fire the PR department by alshithead · · Score: 4, Insightful

    Which will make customers more unhappy? Notifying users of an issue and presenting a fix or hiding an issue and surreptitiously issuing a fix hidden in an upgrade? Situations like this cause customers to lose trust and once it is lost it is very difficult to earn back.

    --
    I reserve the right to think for myself. Others' opinions are optional. Puppy on lap = typos...not illiteracy.
  3. Who's right about what happened here? by MrNougat · · Score: 4, Insightful
    This c|net article says:

    McAfee was notified of the flaw by eEye Digital Security on July 5, but at the time had already fixed the flaw in an update to its software that was released in January, Viega said. That update was meant to fine-tune the system, not fix security flaws, he said. The current version of ePO is 3.6, according to McAfee.

    "We did not realize that we had fixed a security vulnerability until eEye alerted us to the problem last week," Viega said. "We were optimizing the system, not looking for security vulnerabilities." The optimization included changing from storing data in files to storing it in memory, which removed the flaw, he said.


    So what that means is that McAfee issued a feature update in January. eEye alerted them to a flaw in July - said flaw exists in systems that do not have the January feature update applied.

    If the above is correct, and it would seem to be, McAfee did nothing wrong at all.
    --
    Web 2.0 == Giant Blogspam Circle Jerk