Slashdot Mirror

← Back to Stories (view on slashdot.org)

McAfee Quietly Fixes Software Flaw

Posted by ryuzaki0 on from the a-little-communication-would-be-helpful dept.

Chris Reimer writes "The San Jose Mercury News is reporting that McAfee fixed a serious design flaw months ago in their enterprise product without notifying businesses and U.S. government agencies until today." From the article: "McAfee said its own engineers first discovered the flaw, which lets attackers seize control of computers to steal sensitive data, delete files or implant malicious programs. McAfee produced a software update in February but described it only as offering new feature enhancements. Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems."

8 of 65 comments (clear)

  1. Fear, uncertainty, doubt. by metasecure · · Score: 4, Interesting

    I'm gunna have to call FUD on this one... The news report is inaccurate - McAfee clearly acknowledges eEye Digital as discovering the claim, not their own engineers as the article states.

    Link to McAfee knowledgebase article: http://knowledge.mcafee.com/SupportSite/search.do? cmd=displayKC&docType=kc&externalId=9925498&sliceI d=SAL_Public

    Copy of message sent by McAfee:
    > On July 5th, McAfee, Inc. was notified of a security vulnerability, by a private security vendor, that could affect McAfee ePolicy Orchestrator (ePO) Common Management Agent 3.5, and earlier versions. In order to accomplish this exploit, an attacker would need network access to the client machine and would then need to construct a message consisting of proprietary information. The attack is quite complicated and requires several steps of reverse engineering of the software as well as the communication protocols. > > McAfee> '> s key priority is the security of its customers and it takes the quality of its software very seriously. McAfee has been extremely proactive in this area and has a dedicated team run by a leading industry expert that pushes tools and knowledge throughout the product development organization. As a result, the company has a good track record on security. Nonetheless, software can be incredibly complex. > > In the event that a vulnerability is found within any of McAfee> '> s software, there is a strong process in place to work closely with the relevant security research group to ensure the rapid and effective development of a fix and communication plan. McAfee is therefore alerting its customers of the security flaw. > > McAfee apologizes for any unintended impact to customers as a result of this published vulnerability. We know that our ability to protect customers quickly in the event of an outbreak depends largely on your confidence in our work. We are determined to earn that trust every day and will do everything in our control to mitigate this problem now and in the future. > > For more information on this security vulnerability, please visit http://www.mcafee.com/us/support/default.asp . If that link does not work, then click here: http://www.mcafee.com/us/enterprise/support/index. html and go to "Corporate Technical Support". You will see the bulletin on the left-hand side under "Announcements." >

  2. Rumour has it... by GillBates0 · · Score: 4, Funny
    which lets attackers seize control of computers to steal sensitive data, delete files or implant malicious programs.

    ...that they used the above said flaw to quietly install the update.

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
  3. Re:What a shock by quanticle · · Score: 5, Insightful

    I think the problem is that McAfee mislabeled the patch as "offering new functionality" rather than "fixing design flaw". There are customers who may put off installing patches of the first type while the full consequences of the new functionality are explored, while the second type of patch would get put into production, because of the fact that it fixes a potential security breach.

    --
    We all know what to do, but we don't know how to get re-elected once we have done it
  4. This is hardly exclusive to McAfee..... by 8127972 · · Score: 4, Interesting

    ....... As I am sure that software vendors who do regular updates (in other words MOST if not ALL of them) quietly fix stuff that they perceive to be bad (as in "this could keep people from buying our stuff" bad). It's not in their interest to make noise about it.

    --
    This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
  5. Re:What a shock by mbadolato · · Score: 4, Funny
    I think the problem is that McAfee mislabeled the patch as "offering new functionality" rather than "fixing design flaw"

    Bah, that's just a semantic (bad psuedo pun?) technicality! "New Functionality: Ownz Blocker - Now limits you from being h4x0r3d"
  6. I don't know how it's still around... by fonetik · · Score: 5, Interesting
    "Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems."

    The irony of this is, if you made the decision to run Mcafee corporate AV products, you have demonstrated that you do not possess the level of intelligence to comprehend concepts like "introducing new problems". In a decade as an engineer/administrator I have yet to encounter a less user-friendly, more bewildering and functionally inept product. The sheer lack of elegance in the ePO server interface should tip anyone off that this is not ready for prime time. How it gets chosen over Trend-micro and Norton's (Corporate) products, or even finds it's way into the competition is something I have yet to discover.

    To anyone that has had the misfortune of being an ePO administrator, none of this news would come as a surprise. Personally, I removed the product from my resume simply because it's presence at a company seems to predicate larger problems, and the only work I ever want to do with it again is replacing it.

  7. Fire the PR department by alshithead · · Score: 4, Insightful

    Which will make customers more unhappy? Notifying users of an issue and presenting a fix or hiding an issue and surreptitiously issuing a fix hidden in an upgrade? Situations like this cause customers to lose trust and once it is lost it is very difficult to earn back.

    --
    I reserve the right to think for myself. Others' opinions are optional. Puppy on lap = typos...not illiteracy.
  8. Who's right about what happened here? by MrNougat · · Score: 4, Insightful
    This c|net article says:

    McAfee was notified of the flaw by eEye Digital Security on July 5, but at the time had already fixed the flaw in an update to its software that was released in January, Viega said. That update was meant to fine-tune the system, not fix security flaws, he said. The current version of ePO is 3.6, according to McAfee.

    "We did not realize that we had fixed a security vulnerability until eEye alerted us to the problem last week," Viega said. "We were optimizing the system, not looking for security vulnerabilities." The optimization included changing from storing data in files to storing it in memory, which removed the flaw, he said.


    So what that means is that McAfee issued a feature update in January. eEye alerted them to a flaw in July - said flaw exists in systems that do not have the January feature update applied.

    If the above is correct, and it would seem to be, McAfee did nothing wrong at all.
    --
    Web 2.0 == Giant Blogspam Circle Jerk