McAfee's Website Full of Security Holes

← Back to Stories (view on slashdot.org)

McAfee's Website Full of Security Holes

Posted by Soulskill on Monday March 28, 2011 @08:32AM from the par-for-the-course dept.

Julie188 writes "The McAfee.com website is full of security mistakes that could lead to cross-site scripting and other attacks, researchers said in a post on the Full Disclosure site on Monday. The holes with the site were found by the YGN Ethical Hacker Group, and reported to McAfee on Feb. 10, YGN says, before they were publicly disclosed to the security/hacking mailing list. Embarrassing? Yes, especially given that the company aggressively markets its own McAfee Secure service that is supposed to assure consumers that McAfee has scanned a website and found it to be safe."

19 of 114 comments (clear)

Min score:

Reason:

Sort:

Your own dog food... by Locke2005 · 2011-03-28 08:33 · Score: 4, Insightful

Eat it!

--
I've abandoned my search for truth; now I'm just looking for some useful delusions.
1. Re:Your own dog food... by WrongSizeGlass · 2011-03-28 08:43 · Score: 2
  
  So McAfee's website is as secure as MySQL.com? This intertubes thing just keeps getting better and better.
2. Re:Your own dog food... by PsyciatricHelp · 2011-03-28 09:50 · Score: 2
  
  Which would be as secure as RSA.
Nice by mrbcs · 2011-03-28 08:37 · Score: 2

Yup, there's some excellent credibility for you. Now can we get Norton to fall on their swords too?
McAfee and Norton. Are these not the two worst software companies?

--
I'm not anti-social, I'm anti-idiot.
Mod parent up! by khasim · 2011-03-28 08:47 · Score: 3, Interesting

McAfee markets products to scan websites. At least use them on your own site!
If the scans didn't turn up the vulnerabilities ... well it looks like you have a problem with your products.
1. Re:Mod parent up! by BagOBones · 2011-03-28 09:07 · Score: 2
  
  I created a post on this already (probably while you were posting this) they DO scan the site, and it is McAfee SECURE CERTIFIED. Shows what it is worth.
  
  --
  EA David Gardner -"... but the consumers have proven that actually what they want is fun."
2. Re:Mod parent up! by jackdub · 2011-03-28 09:10 · Score: 4, Insightful
  
  Quis custodiet ipsos custodes?
3. Re:Mod parent up! by aix+tom · 2011-03-28 10:11 · Score: 2
  
  I guess they are kinda like consultants in that regard. They can find problems pretty quick, but they have no idea how to fix them. ;-P
4. Re:Mod parent up! by Anonymous Coward · 2011-03-28 10:16 · Score: 5, Interesting
  
  Posting AC for obvious reasons...
  
  At my former employer, I was in charge of managing the McAfee Secure scans (but not remediation) for all of our external sites. The maddening thing for me was that we got a ridiculously large amount of time to remediate any vulnerabilities before the Certified logo would show any issues (30 days comes to mind). Additionally, the scans only took place once per month. You could have a vulnerability out there for up to 60 days without ever getting addressed and everything shows up as fine and dandy, McAfee Secure Certified (tm). IMHO this is unacceptable and gives a false sense of security to the end-user. It also makes it damn hard to motivate the people in charge of patching and shoring up their piss-poor system admin practices to actually get off their damn asses and do something about it. A typical conversation after discovering a vulnerability went something like this:
  
  Me: McAfee Secure found these problems. *Sends scan report*
  Joe Sixpack SysAdmin: Meh, I've got a whole month before I need to remediate these issues, so it's not really a vulnerability yet. I'll wait until day 29 and a half to look at it, then freak out and point the finger back at you when I can't get it fixed in under 10 minutes.
  Me: *facepalm*
  
  Needless to say, when I see a McAfee Secure Certified logo on any site, I basically ignore it at best or altogether avoid the site at worst. It's a joke. Only less funny.
  
  On the positive side, the scan reports are very pretty. A hell of a lot better than McAfee Vulnerability Manager's sh*t reports.
5. Re:Mod parent up! by kyuubiunl · 2011-03-28 10:48 · Score: 2
  
  McAfee secures on the " si fecisti nega! " Principle.
6. Re:Mod parent up! by Locke2005 · 2011-03-28 11:36 · Score: 3, Funny
  
  Apparently so does Bart Simson: “I didn't do it, nobody saw me do it, there's no way you can prove anything!”
  
  --
  I've abandoned my search for truth; now I'm just looking for some useful delusions.
McAfee SECURE CERTIFIED by BagOBones · 2011-03-28 08:50 · Score: 4, Funny

Don't worry, I checked and the site is McAfee SECURE CERTIFIED
https://www.mcafeesecure.com/RatingVerify?ref=www.mcafee.com

--
EA David Gardner -"... but the consumers have proven that actually what they want is fun."
Re:minor by sconeu · 2011-03-28 08:51 · Score: 5, Insightful

most of the staff at McAfee, as with all other big companies, aren't security experts
But the thing about McAfee is that they *do* market themselves as "security experts". Therefore they should be held to a higher standard.

--
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Vulnerable != Unsafe by nuckfuts · 2011-03-28 08:57 · Score: 2

the company aggressively markets its own McAfee Secure service that is supposed to assure consumers that McAfee has scanned a website and found it to be safe
There is a difference between whether a website is vulnerable to attacks and whether it's unsafe to view. If I'm going to open a page in my browser, I care whether or not the page is fact dangerous to view at that point in time, not whether it could potentially be made dangerous.
This is not to say I don't give a damn about XSS vulnerabilities and the like. It's simply a different (albeit related) topic.
The old days of McAfee's "secure" FTP site by Nimey · 2011-03-28 09:11 · Score: 4, Interesting

Back about ten years ago, you used to be able to log into McAfee's FTP server and download their latest for-pay products. IIRC the username was something like "mcafee" and the password was "321". My former boss was a warez puppy and I gather this was commonly known on the scene.

--
Hail Eris, full of mischief...

E pluribus sanguinem
Misdirection by SuperKendall · 2011-03-28 09:14 · Score: 2, Insightful

How do you know the McAfee home page is not one giant honeypot? After all they know hackers will be going after them. That's what I'd do if I were them...

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
1. Re:Misdirection by Bobfrankly1 · 2011-03-28 09:24 · Score: 2
  
  and virtualization being what it is, they could suffer an attack, log all the data, and swap in an HA clone in a matter of seconds. With appropriate monitoring it would be automated.
Re:minor by sqlrob · 2011-03-28 09:35 · Score: 2

Close enough?
Re:minor by flosofl · 2011-03-28 09:36 · Score: 2

You seem to have a lack of understanding of how enterprise IT/IS actually works. You seem to think people in the marketing dept actually admin the web services for the company? In most modern medium to large (to ginormous) companies, there is a group in IT that is specifically tasked with managing the company's web presence including servers and software. A security group determines policies and practices that the Web group must follow. That same security group vets the services *before* going live and continually monitors and scans the web site for vulnerabilities. Other than content (and perhaps being the "owner"), the Marketing dept is probably not involved at *any* level of the web site.

I actually work in network security, and have for quite a while. It's been like this at every major company (Int'l bank and F500 companies) I've worked for since at least 1998. They most definitely *should* have been aware of these issues. The fact that they tout themselves as a "major security vendor" means these should have been remediated as soon as possible.

--
"This calls for a very special blend of psychology and extreme violence" - Vyvyan "The Young Ones"