McAfee Quietly Fixes Software Flaw

← Back to Stories (view on slashdot.org)

McAfee Quietly Fixes Software Flaw

Posted by ryuzaki0 on Friday July 14, 2006 @08:31AM from the a-little-communication-would-be-helpful dept.

Chris Reimer writes "The San Jose Mercury News is reporting that McAfee fixed a serious design flaw months ago in their enterprise product without notifying businesses and U.S. government agencies until today." From the article: "McAfee said its own engineers first discovered the flaw, which lets attackers seize control of computers to steal sensitive data, delete files or implant malicious programs. McAfee produced a software update in February but described it only as offering new feature enhancements. Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems."

18 of 65 comments (clear)

Min score:

Reason:

Sort:

What a shock by AgentRavyn · 2006-07-14 08:36 · Score: 2, Funny

There's bugs in software? And they were covertly fixed? Never!

--
___
I'm an exhibit on the mounted animal nature trail.
1. Re:What a shock by quanticle · 2006-07-14 08:42 · Score: 5, Insightful
  
  I think the problem is that McAfee mislabeled the patch as "offering new functionality" rather than "fixing design flaw". There are customers who may put off installing patches of the first type while the full consequences of the new functionality are explored, while the second type of patch would get put into production, because of the fact that it fixes a potential security breach.
  
  --
  We all know what to do, but we don't know how to get re-elected once we have done it
2. Re:What a shock by mbadolato · 2006-07-14 08:51 · Score: 4, Funny
  
  I think the problem is that McAfee mislabeled the patch as "offering new functionality" rather than "fixing design flaw"
  
  Bah, that's just a semantic (bad psuedo pun?) technicality! "New Functionality: Ownz Blocker - Now limits you from being h4x0r3d"
3. Re:What a shock by jpvlsmv · 2006-07-14 09:31 · Score: 3, Insightful
  
  You obviously don't read your EULA. Every single one disclaims all liability and warranty. Or do you know of a single instance where a commercial software company has been sued for a software bug?
  
  --Joe
Fear, uncertainty, doubt. by metasecure · 2006-07-14 08:37 · Score: 4, Interesting

I'm gunna have to call FUD on this one... The news report is inaccurate - McAfee clearly acknowledges eEye Digital as discovering the claim, not their own engineers as the article states.

Link to McAfee knowledgebase article: http://knowledge.mcafee.com/SupportSite/search.do? cmd=displayKC&docType=kc&externalId=9925498&sliceI d=SAL_Public

Copy of message sent by McAfee:
> On July 5th, McAfee, Inc. was notified of a security vulnerability, by a private security vendor, that could affect McAfee ePolicy Orchestrator (ePO) Common Management Agent 3.5, and earlier versions. In order to accomplish this exploit, an attacker would need network access to the client machine and would then need to construct a message consisting of proprietary information. The attack is quite complicated and requires several steps of reverse engineering of the software as well as the communication protocols. > > McAfee> '> s key priority is the security of its customers and it takes the quality of its software very seriously. McAfee has been extremely proactive in this area and has a dedicated team run by a leading industry expert that pushes tools and knowledge throughout the product development organization. As a result, the company has a good track record on security. Nonetheless, software can be incredibly complex. > > In the event that a vulnerability is found within any of McAfee> '> s software, there is a strong process in place to work closely with the relevant security research group to ensure the rapid and effective development of a fix and communication plan. McAfee is therefore alerting its customers of the security flaw. > > McAfee apologizes for any unintended impact to customers as a result of this published vulnerability. We know that our ability to protect customers quickly in the event of an outbreak depends largely on your confidence in our work. We are determined to earn that trust every day and will do everything in our control to mitigate this problem now and in the future. > > For more information on this security vulnerability, please visit http://www.mcafee.com/us/support/default.asp . If that link does not work, then click here: http://www.mcafee.com/us/enterprise/support/index. html and go to "Corporate Technical Support". You will see the bulletin on the left-hand side under "Announcements." >
Rumour has it... by GillBates0 · 2006-07-14 08:41 · Score: 4, Funny

which lets attackers seize control of computers to steal sensitive data, delete files or implant malicious programs.
...that they used the above said flaw to quietly install the update.

--
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
This is hardly exclusive to McAfee..... by 8127972 · 2006-07-14 08:50 · Score: 4, Interesting

....... As I am sure that software vendors who do regular updates (in other words MOST if not ALL of them) quietly fix stuff that they perceive to be bad (as in "this could keep people from buying our stuff" bad). It's not in their interest to make noise about it.

--
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
1. Re:This is hardly exclusive to McAfee..... by 8127972 · 2006-07-14 09:02 · Score: 3, Interesting
  
  "Besides, I don't really know what you're defending, Mcaffee openly says it was a screwup and that because they depend on their customers trusting them they shouldn't have handled it the way they did."
  
  I'm not defending anything. I'm just saying that this behaviour is:
  
  1. Not new in this industry.
  2. If you trust them, this might make you think twice as they said that they did this WAY after the fact.
  
  --
  This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
I don't know how it's still around... by fonetik · 2006-07-14 08:57 · Score: 5, Interesting

"Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems."
The irony of this is, if you made the decision to run Mcafee corporate AV products, you have demonstrated that you do not possess the level of intelligence to comprehend concepts like "introducing new problems". In a decade as an engineer/administrator I have yet to encounter a less user-friendly, more bewildering and functionally inept product. The sheer lack of elegance in the ePO server interface should tip anyone off that this is not ready for prime time. How it gets chosen over Trend-micro and Norton's (Corporate) products, or even finds it's way into the competition is something I have yet to discover.
To anyone that has had the misfortune of being an ePO administrator, none of this news would come as a surprise. Personally, I removed the product from my resume simply because it's presence at a company seems to predicate larger problems, and the only work I ever want to do with it again is replacing it.
1. Re:I don't know how it's still around... by rts008 · 2006-07-14 09:12 · Score: 2, Insightful
  
  I agree, McAfee has slipped, as has Norton AV the past several years.
  
  Note to AV vendors: you can't rest on your past laurels, to stay competetive you must move forward and innovate to keep from being dethroned by your "more hungry" competitors.
  
  Past and recent experience has forced me to consider McAfee and Norton as "has beens", and no longer viable contenders. YMMV, but this is the way I see it.
  
  --
  Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
Fire the PR department by alshithead · 2006-07-14 08:59 · Score: 4, Insightful

Which will make customers more unhappy? Notifying users of an issue and presenting a fix or hiding an issue and surreptitiously issuing a fix hidden in an upgrade? Situations like this cause customers to lose trust and once it is lost it is very difficult to earn back.

--
I reserve the right to think for myself. Others' opinions are optional. Puppy on lap = typos...not illiteracy.
Oh jeez oh man by Dachannien · 2006-07-14 09:05 · Score: 2, Insightful

Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems.

For that matter, many home users are starting to feel the same way.

(This paranoia has been brought to you by the letters W, G, and A.)
OT, please disregard by TheDarkener · 2006-07-14 09:07 · Score: 3, Interesting

Aside from this specific instance of a security vulnerability in McAfee products, seriously. McAfee *was* a decent product. In, say, 1993. For DOS. Because it was just about the only antivirus protection you could get at the time.

Now, you have *many* choices. I don't see why you would ever want to choose a McAfee product as any level of protection (be it firewall, antivirus, anti-spam, or whatever) - it's just that the software has evolved into this huge monolithic POS that crashes your system, slows it down ungodly, bugs you like a Japanese whore (OMGLOLIBLOCKEDAHAX0R!) and, I don't have much doubt at all that it corrupts your system far beyond what's been reported before, just out of pure experience with anomolies on customers' computers with it installed.

AVG. Seriously, it's much simpler, faster, and *just*doesn't*mess*with* Windows like McAfee does.

--
It is pitch black. You are likely to be eaten by a grue.
McAfee + Symantec=sucky by BalkanBoy · 2006-07-14 09:19 · Score: 3, Insightful

they both produce an antivirus solution which annoys me with their anal-retentiveness. Since joining my current company, I discovered they used NOD32 - as soon as I installed it, I never ever wanted to go back to either McAfee or Symantec. I ditched McAfee about 6-7 years ago, and Symantec as of a year or so ago. Couldn't be happier. NOD32 is the most unobtrusive antivirus I've ever had. Ditch McAfee and/or Symantec, get NOD32 (or something better if it exists). Give the underdog a chance.

--
'A lie if repeated often enough, becomes the truth.' - Goebbels
Who's right about what happened here? by MrNougat · 2006-07-14 09:26 · Score: 4, Insightful

This c|net article says:

McAfee was notified of the flaw by eEye Digital Security on July 5, but at the time had already fixed the flaw in an update to its software that was released in January, Viega said. That update was meant to fine-tune the system, not fix security flaws, he said. The current version of ePO is 3.6, according to McAfee.

"We did not realize that we had fixed a security vulnerability until eEye alerted us to the problem last week," Viega said. "We were optimizing the system, not looking for security vulnerabilities." The optimization included changing from storing data in files to storing it in memory, which removed the flaw, he said.

So what that means is that McAfee issued a feature update in January. eEye alerted them to a flaw in July - said flaw exists in systems that do not have the January feature update applied.

If the above is correct, and it would seem to be, McAfee did nothing wrong at all.

--
Web 2.0 == Giant Blogspam Circle Jerk
You missed one. by ScentCone · 2006-07-14 09:33 · Score: 2

Which will make customers more unhappy? Notifying users of an issue and presenting a fix or hiding an issue and surreptitiously issuing a fix hidden in an upgrade? Situations like this cause customers to lose trust and once it is lost it is very difficult to earn back.

You're forgetting the third group: people who are glad they fixed it, and who are also glad that they minimized the vulnerability's exposure to the wider Guild Of Naughty People.

--
Don't disappoint your bird dog. Go to the range.
Beware of McAfee by pobster · 2006-07-14 11:26 · Score: 2, Informative

McAfee is possibly my least favorite piece of software - not only does it do it's job badly & slow down everything but it doesn't uninstall even vaguely properly.

It can be a heck of a fight to actually get rid of it - see http://www.myfixes.com/articles/mcrem for details on how to root it out.

Removing over 100 spyware progs from my friends poor PC gave less of a speedup than finally removing McAfee! Get AVG or NOD32 for antivrus, Zonealarm for firewall and Adaware SE, Spybot S & D and Spywareblaster for antispyware. Try HijackThis and SysInternals stuff if you really want to know whats happening on your Windows Installation.

Or just get Ubuntu or PClinuxOS already...
It is the worst case scenario for an AV company by Opportunist · 2006-07-14 11:29 · Score: 3, Interesting

Imagine malware akin to the Word/Excel/Powerpoint exploits that entertained us the last 3 months (accurately released right after the MS patchday), but targeting a buffer overflow in an AV product. The results would be devastating. EVERYONE who uses that AV software WILL be infected. Not can, but WILL.

On-access scanners, which pretty much every AV soft uses, will scan the file as soon as you open it. If a buffer overflow is crafted (to, say, use a flaw in the scanners static unpacking algo for UPX), your AV soft will actually run the viral code.

This can happen. And it will. It's a matter of time. I'm quite sure the malware writers are already poking at the scanners of McAfee, Kaspersky, Symantec etc. to find useable overflows.

I think the future of AV soft is in servers, not client products. The future is in secure, chroot'ed scanning environments that examine the passing traffic, which, in turn, are constantly scanned from a second scanner outside that chroot environment, checking the integrity of the scanning subsystem inside the chroot.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.