McAfee Quietly Fixes Software Flaw 65
Chris Reimer writes "The San Jose Mercury News is reporting that McAfee fixed a serious design flaw months ago in their enterprise product without notifying businesses and U.S. government agencies until today." From the article: "McAfee said its own engineers first discovered the flaw, which lets attackers seize control of computers to steal sensitive data, delete files or implant malicious programs. McAfee produced a software update in February but described it only as offering new feature enhancements. Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems."
What a shock (Score:2, Funny)
Re:What a shock (Score:1)
Re:What a shock (Score:3, Insightful)
--Joe
Re:What a shock (Score:1)
Re:What a shock (Score:2)
> Or do you know of a single instance where a commercial software company has been sued for a software bug?
Yep. I recall EDS paid over $100M compensation to HMRC for buggy uk tax credits system (not sure if HMRC actually filed suit but you can be sure it threatened to to get that settlement).
Also, I know of plenty of instances where liti
Re:What a shock (Score:1)
Re:What a shock (Score:5, Insightful)
Re:What a shock (Score:5, Funny)
Bah, that's just a semantic (bad psuedo pun?) technicality! "New Functionality: Ownz Blocker - Now limits you from being h4x0r3d"
Re:What a shock (Score:1, Funny)
Fear, uncertainty, doubt. (Score:4, Interesting)
Link to McAfee knowledgebase article: http://knowledge.mcafee.com/SupportSite/search.do
Copy of message sent by McAfee:
> On July 5th, McAfee, Inc. was notified of a security vulnerability, by a private security vendor, that could affect McAfee ePolicy Orchestrator (ePO) Common Management Agent 3.5, and earlier versions. In order to accomplish this exploit, an attacker would need network access to the client machine and would then need to construct a message consisting of proprietary information. The attack is quite complicated and requires several steps of reverse engineering of the software as well as the communication protocols. > > McAfee> '> s key priority is the security of its customers and it takes the quality of its software very seriously. McAfee has been extremely proactive in this area and has a dedicated team run by a leading industry expert that pushes tools and knowledge throughout the product development organization. As a result, the company has a good track record on security. Nonetheless, software can be incredibly complex. > > In the event that a vulnerability is found within any of McAfee> '> s software, there is a strong process in place to work closely with the relevant security research group to ensure the rapid and effective development of a fix and communication plan. McAfee is therefore alerting its customers of the security flaw. > > McAfee apologizes for any unintended impact to customers as a result of this published vulnerability. We know that our ability to protect customers quickly in the event of an outbreak depends largely on your confidence in our work. We are determined to earn that trust every day and will do everything in our control to mitigate this problem now and in the future. > > For more information on this security vulnerability, please visit http://www.mcafee.com/us/support/default.asp [mcafee.com] . If that link does not work, then click here: http://www.mcafee.com/us/enterprise/support/index
Re:Fear, uncertainty, doubt. (Score:1)
Re:Fear, uncertainty, doubt. (Score:1, Informative)
McAfee found a design flaw back in February and quitely fixed it, meanwhile some other dudes, independently, find the flaw in the OLD FLAWED implementation between May and July.
I can't see anything that you have cited that frankly indicates that the news report is inaccurate. Perhaps you can provide some time line of events that supports your original assertion.
Re:Fear, uncertainty, doubt. (Score:2)
makes sense to me
McAfee found a design flaw back in February and quitely fixed it
GP point is that we don't know that is what happened.
What we know is that versions post the Feb. update are not vulnerable. So, the Feb. update did something that made this exploit stop working.
That does not, however, mean that it was designed to block the exploit based on knowledge of the exploit. In fact, as GP suggested, it is actually quite common for code changes to
Rumour has it... (Score:5, Funny)
This is hardly exclusive to McAfee..... (Score:5, Interesting)
Re:This is hardly exclusive to McAfee..... (Score:1, Interesting)
Besides, I don't really know what you're defending, Mcaffee openly says it was a screwup and that because they depend on their customers trusting them they shouldn't have handled it the way they did.
Re:This is hardly exclusive to McAfee..... (Score:4, Interesting)
I'm not defending anything. I'm just saying that this behaviour is:
1. Not new in this industry.
2. If you trust them, this might make you think twice as they said that they did this WAY after the fact.
Good for McAfee! (Score:1, Funny)
I don't know how it's still around... (Score:5, Interesting)
The irony of this is, if you made the decision to run Mcafee corporate AV products, you have demonstrated that you do not possess the level of intelligence to comprehend concepts like "introducing new problems". In a decade as an engineer/administrator I have yet to encounter a less user-friendly, more bewildering and functionally inept product. The sheer lack of elegance in the ePO server interface should tip anyone off that this is not ready for prime time. How it gets chosen over Trend-micro and Norton's (Corporate) products, or even finds it's way into the competition is something I have yet to discover.
To anyone that has had the misfortune of being an ePO administrator, none of this news would come as a surprise. Personally, I removed the product from my resume simply because it's presence at a company seems to predicate larger problems, and the only work I ever want to do with it again is replacing it.
Re:I don't know how it's still around... (Score:3, Insightful)
Note to AV vendors: you can't rest on your past laurels, to stay competetive you must move forward and innovate to keep from being dethroned by your "more hungry" competitors.
Past and recent experience has forced me to consider McAfee and Norton as "has beens", and no longer viable contenders. YMMV, but this is the way I see it.
Re:I don't know how it's still around... (Score:1)
Re:I don't know how it's still around... (Score:2)
when you get to the enterprise products they are still just as good as ever and getting better.
personaly i think most of their falling in the home area is ignorace in the consumers.. people want flashy very very very easy to understand things.. so Norton tryed to make it.. they failed.. instead they made it cumbersome and crippled.
but when you look at the higher lever stuff they still rock..
Re:I don't know how it's still around... (Score:2)
Re:I don't know how it's still around... (Score:2)
Mainly was talking about their personal/home products. That is what I have to deal with the mos, but as far as their business product goes, it is "good", but not great, as it used to be the best as far as popularity goes.
They have slipped. Their corporate/business version is still okay, but their home/personal version is crud.
The reason I mention this is- how many people have Norton on their work PC, assume that the home version is what they should run on their home PC?
Do yo
Re:I don't know how it's still around... (Score:2)
Re:I don't know how it's still around... (Score:2)
I've seen many many instances of trojan's hyjacking corporate networks, taking down systems etc internally (stuff you won't read in the papers) and Symantec has been fully patched with latest updates.
I'm also refering to the corporate edition, it totally stinks.
Stay away!
Re:I don't know how it's still around... (Score:2)
As for the slow response in releasing definitions and updates, there could be many good reasons for that. One of which is this story. :)
Re: (Score:2)
Re:I don't know how it's still around... (Score:2)
Meaning products that centrally report their activity and status? I need to be able to know at a glance (every day)that say, 50 systems all have the latest definitions, all got scanned at 4:30 this morning, and none found any malware.
Fire the PR department (Score:5, Insightful)
You missed one. (Score:3)
You're forgetting the third group: people who are glad they fixed it, and who are also glad that they minimized the vulnerability's exposure to the wider Guild Of Naughty People.
Re:You missed one. (Score:1)
Full (and pre-mature exposure) is just too dangerous.
Re:Fire the PR department (Score:1)
Oh jeez oh man (Score:3, Insightful)
For that matter, many home users are starting to feel the same way.
(This paranoia has been brought to you by the letters W, G, and A.)
OT, please disregard (Score:4, Interesting)
Now, you have *many* choices. I don't see why you would ever want to choose a McAfee product as any level of protection (be it firewall, antivirus, anti-spam, or whatever) - it's just that the software has evolved into this huge monolithic POS that crashes your system, slows it down ungodly, bugs you like a Japanese whore (OMGLOLIBLOCKEDAHAX0R!) and, I don't have much doubt at all that it corrupts your system far beyond what's been reported before [slashdot.org], just out of pure experience with anomolies on customers' computers with it installed.
AVG. Seriously, it's much simpler, faster, and *just*doesn't*mess*with* Windows like McAfee does.
Re:OT, please disregard (Score:2)
Mod me a troll if you want; I don't care. I've had a shitty day and after a few beers it feels good to laugh at someone else's problems.
McAfee + Symantec=sucky (Score:3, Insightful)
Who's right about what happened here? (Score:5, Insightful)
So what that means is that McAfee issued a feature update in January. eEye alerted them to a flaw in July - said flaw exists in systems that do not have the January feature update applied.
If the above is correct, and it would seem to be, McAfee did nothing wrong at all.
Re:Who's right about what happened here? (Score:1)
Re:Who's right about what happened here? (Score:2)
So, McAfee did not release the feature update after the notification from eEye, as suggested here. Now that everyon
As opposed to... (Score:2)
- Tash
Vrooommm... [tashcorp.net]
Beware of McAfee (Score:2, Informative)
It can be a heck of a fight to actually get rid of it - see http://www.myfixes.com/articles/mcrem [myfixes.com] for details on how to root it out.
Removing over 100 spyware progs from my friends poor PC gave less of a speedup than finally removing McAfee! Get AVG or NOD32 for antivrus, Zonealarm for firewall and Adaware SE, Spybot S & D and Spywarebla
It is the worst case scenario for an AV company (Score:4, Interesting)
On-access scanners, which pretty much every AV soft uses, will scan the file as soon as you open it. If a buffer overflow is crafted (to, say, use a flaw in the scanners static unpacking algo for UPX), your AV soft will actually run the viral code.
This can happen. And it will. It's a matter of time. I'm quite sure the malware writers are already poking at the scanners of McAfee, Kaspersky, Symantec etc. to find useable overflows.
I think the future of AV soft is in servers, not client products. The future is in secure, chroot'ed scanning environments that examine the passing traffic, which, in turn, are constantly scanned from a second scanner outside that chroot environment, checking the integrity of the scanning subsystem inside the chroot.
Re:It is the worst case scenario for an AV company (Score:1)
Hmm... (Score:1)
It's not so quiet now, is it?