Slashdot Mirror

← Back to Stories (view on slashdot.org)

McAfee's Website Full of Security Holes

Posted by Soulskill on from the par-for-the-course dept.

Julie188 writes "The McAfee.com website is full of security mistakes that could lead to cross-site scripting and other attacks, researchers said in a post on the Full Disclosure site on Monday. The holes with the site were found by the YGN Ethical Hacker Group, and reported to McAfee on Feb. 10, YGN says, before they were publicly disclosed to the security/hacking mailing list. Embarrassing? Yes, especially given that the company aggressively markets its own McAfee Secure service that is supposed to assure consumers that McAfee has scanned a website and found it to be safe."

3 of 114 comments (clear)

  1. Mod parent up! by khasim · · Score: 3, Interesting

    McAfee markets products to scan websites. At least use them on your own site!

    If the scans didn't turn up the vulnerabilities ... well it looks like you have a problem with your products.

    1. Re:Mod parent up! by Anonymous Coward · · Score: 5, Interesting

      Posting AC for obvious reasons...

      At my former employer, I was in charge of managing the McAfee Secure scans (but not remediation) for all of our external sites. The maddening thing for me was that we got a ridiculously large amount of time to remediate any vulnerabilities before the Certified logo would show any issues (30 days comes to mind). Additionally, the scans only took place once per month. You could have a vulnerability out there for up to 60 days without ever getting addressed and everything shows up as fine and dandy, McAfee Secure Certified (tm). IMHO this is unacceptable and gives a false sense of security to the end-user. It also makes it damn hard to motivate the people in charge of patching and shoring up their piss-poor system admin practices to actually get off their damn asses and do something about it. A typical conversation after discovering a vulnerability went something like this:

      Me: McAfee Secure found these problems. *Sends scan report*
      Joe Sixpack SysAdmin: Meh, I've got a whole month before I need to remediate these issues, so it's not really a vulnerability yet. I'll wait until day 29 and a half to look at it, then freak out and point the finger back at you when I can't get it fixed in under 10 minutes.
      Me: *facepalm*

      Needless to say, when I see a McAfee Secure Certified logo on any site, I basically ignore it at best or altogether avoid the site at worst. It's a joke. Only less funny.

      On the positive side, the scan reports are very pretty. A hell of a lot better than McAfee Vulnerability Manager's sh*t reports.

  2. The old days of McAfee's "secure" FTP site by Nimey · · Score: 4, Interesting

    Back about ten years ago, you used to be able to log into McAfee's FTP server and download their latest for-pay products. IIRC the username was something like "mcafee" and the password was "321". My former boss was a warez puppy and I gather this was commonly known on the scene.

    --
    Hail Eris, full of mischief...

    E pluribus sanguinem