Follow Slashdot stories on Twitter


Forgot your password?

McAfee Quietly Fixes Software Flaw 65

Chris Reimer writes "The San Jose Mercury News is reporting that McAfee fixed a serious design flaw months ago in their enterprise product without notifying businesses and U.S. government agencies until today." From the article: "McAfee said its own engineers first discovered the flaw, which lets attackers seize control of computers to steal sensitive data, delete files or implant malicious programs. McAfee produced a software update in February but described it only as offering new feature enhancements. Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems."
This discussion has been archived. No new comments can be posted.

McAfee Quietly Fixes Software Flaw

Comments Filter:
  • There's bugs in software? And they were covertly fixed? Never!
    • Re:What a shock (Score:5, Insightful)

      by quanticle ( 843097 ) on Friday July 14, 2006 @04:42PM (#15721535) Homepage
      I think the problem is that McAfee mislabeled the patch as "offering new functionality" rather than "fixing design flaw". There are customers who may put off installing patches of the first type while the full consequences of the new functionality are explored, while the second type of patch would get put into production, because of the fact that it fixes a potential security breach.
    • by Anonymous Coward
      This explains the cryptic message left on many State Department servers last week by unknown hackers: "All your capitalist base are belong to us." However, Senator Ted Stevens explained what it meant: "You see, the Korean hacker guys, they used these tube things on the Internet, it's very complicated. It was probably them... Can you help me, I can't get my iPotato thing to work. Where does the CD slide into this thing? it's so small. Help. Help."
  • by metasecure ( 946666 ) * on Friday July 14, 2006 @04:37PM (#15721504)
    I'm gunna have to call FUD on this one... The news report is inaccurate - McAfee clearly acknowledges eEye Digital as discovering the claim, not their own engineers as the article states.

    Link to McAfee knowledgebase article: cmd=displayKC&docType=kc&externalId=9925498&sliceI d=SAL_Public []

    Copy of message sent by McAfee:
    > On July 5th, McAfee, Inc. was notified of a security vulnerability, by a private security vendor, that could affect McAfee ePolicy Orchestrator (ePO) Common Management Agent 3.5, and earlier versions. In order to accomplish this exploit, an attacker would need network access to the client machine and would then need to construct a message consisting of proprietary information. The attack is quite complicated and requires several steps of reverse engineering of the software as well as the communication protocols. > > McAfee> '> s key priority is the security of its customers and it takes the quality of its software very seriously. McAfee has been extremely proactive in this area and has a dedicated team run by a leading industry expert that pushes tools and knowledge throughout the product development organization. As a result, the company has a good track record on security. Nonetheless, software can be incredibly complex. > > In the event that a vulnerability is found within any of McAfee> '> s software, there is a strong process in place to work closely with the relevant security research group to ensure the rapid and effective development of a fix and communication plan. McAfee is therefore alerting its customers of the security flaw. > > McAfee apologizes for any unintended impact to customers as a result of this published vulnerability. We know that our ability to protect customers quickly in the event of an outbreak depends largely on your confidence in our work. We are determined to earn that trust every day and will do everything in our control to mitigate this problem now and in the future. > > For more information on this security vulnerability, please visit [] . If that link does not work, then click here: html [] and go to "Corporate Technical Support". You will see the bulletin on the left-hand side under "Announcements." >
  • by GillBates0 ( 664202 ) on Friday July 14, 2006 @04:41PM (#15721533) Homepage Journal
    which lets attackers seize control of computers to steal sensitive data, delete files or implant malicious programs.

    ...that they used the above said flaw to quietly install the update.

  • by 8127972 ( 73495 ) on Friday July 14, 2006 @04:50PM (#15721585)
    ....... As I am sure that software vendors who do regular updates (in other words MOST if not ALL of them) quietly fix stuff that they perceive to be bad (as in "this could keep people from buying our stuff" bad). It's not in their interest to make noise about it.

    • by Anonymous Coward
      There's a difference between not taking out full page ads letting everyone know, or publishing the gory details, and mislabeling a critical update as a noncritical one.

      Besides, I don't really know what you're defending, Mcaffee openly says it was a screwup and that because they depend on their customers trusting them they shouldn't have handled it the way they did.
      • by 8127972 ( 73495 ) on Friday July 14, 2006 @05:02PM (#15721660)
        "Besides, I don't really know what you're defending, Mcaffee openly says it was a screwup and that because they depend on their customers trusting them they shouldn't have handled it the way they did."

        I'm not defending anything. I'm just saying that this behaviour is:

        1. Not new in this industry.
        2. If you trust them, this might make you think twice as they said that they did this WAY after the fact.
  • by Anonymous Coward
    Good for McAfee fixing their software flaws quietly. I mean, they shouldn't be such braggarts about it.
  • by fonetik ( 181656 ) <fonetik AT onebox DOT com> on Friday July 14, 2006 @04:57PM (#15721629)
    "Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems."

    The irony of this is, if you made the decision to run Mcafee corporate AV products, you have demonstrated that you do not possess the level of intelligence to comprehend concepts like "introducing new problems". In a decade as an engineer/administrator I have yet to encounter a less user-friendly, more bewildering and functionally inept product. The sheer lack of elegance in the ePO server interface should tip anyone off that this is not ready for prime time. How it gets chosen over Trend-micro and Norton's (Corporate) products, or even finds it's way into the competition is something I have yet to discover.

    To anyone that has had the misfortune of being an ePO administrator, none of this news would come as a surprise. Personally, I removed the product from my resume simply because it's presence at a company seems to predicate larger problems, and the only work I ever want to do with it again is replacing it.

    • I agree, McAfee has slipped, as has Norton AV the past several years.

      Note to AV vendors: you can't rest on your past laurels, to stay competetive you must move forward and innovate to keep from being dethroned by your "more hungry" competitors.

      Past and recent experience has forced me to consider McAfee and Norton as "has beens", and no longer viable contenders. YMMV, but this is the way I see it.
      • Are you talking about Norton/Symantec home products or enterprise products?
        • yea the only place that Norton has sliped is in the small home/ office area..

          when you get to the enterprise products they are still just as good as ever and getting better.

          personaly i think most of their falling in the home area is ignorace in the consumers.. people want flashy very very very easy to understand things.. so Norton tryed to make it.. they failed.. instead they made it cumbersome and crippled.

          but when you look at the higher lever stuff they still rock..
        • Speaking for myself, strictly Corporate products. I haven't used any of their home products in some time since they added all the Anti-spy/spam/worm/pop-up/productivity/time/matte r /space 'improvements'. My home computers have never needed AV, I just keep them vigilantly updated and watch the firewall with an occasional free web scan from trend-micro. Then again, my home is also free of attachment clicking dummies, so I am fortunate. Whenever I have a need to install one though, I just use the corp prod
        • Good question, and most relevant.
          Mainly was talking about their personal/home products. That is what I have to deal with the mos, but as far as their business product goes, it is "good", but not great, as it used to be the best as far as popularity goes.
          They have slipped. Their corporate/business version is still okay, but their home/personal version is crud.
          The reason I mention this is- how many people have Norton on their work PC, assume that the home version is what they should run on their home PC?
          Do yo
      • Norton has been pure crap since (at the latest) corporate version 7. I have little technical respect for anyone who has had a chance to replace it and hasn't. I realize lots of people can't possibly get approval for a shift like that.
      • I agree, I have had the misfortune of working with Symantec (i'm a security consultant) and for a product to claim itself as an AV which has no malware, trojan detection is a slap in the face.

        I've seen many many instances of trojan's hyjacking corporate networks, taking down systems etc internally (stuff you won't read in the papers) and Symantec has been fully patched with latest updates.

        I'm also refering to the corporate edition, it totally stinks.

        Stay away!
    • I adminster an EPO server. It works great, it's not confusing to me, and it gets the job done. Each to his own I guess.
    • So what are tne good alternatives to the "corporate edition" products from NAI and Symantec?

      Meaning products that centrally report their activity and status? I need to be able to know at a glance (every day)that say, 50 systems all have the latest definitions, all got scanned at 4:30 this morning, and none found any malware.

  • by alshithead ( 981606 ) * on Friday July 14, 2006 @04:59PM (#15721642)
    Which will make customers more unhappy? Notifying users of an issue and presenting a fix or hiding an issue and surreptitiously issuing a fix hidden in an upgrade? Situations like this cause customers to lose trust and once it is lost it is very difficult to earn back.
    • Which will make customers more unhappy? Notifying users of an issue and presenting a fix or hiding an issue and surreptitiously issuing a fix hidden in an upgrade? Situations like this cause customers to lose trust and once it is lost it is very difficult to earn back.

      You're forgetting the third group: people who are glad they fixed it, and who are also glad that they minimized the vulnerability's exposure to the wider Guild Of Naughty People.
    • I believe that in 'some' situations, ignorance is bliss. In this case, it's certainly the prefered option from my perspective. Look at what Microsoft migrated from. They used to announce the bugs, and not patch them until later which provided a flag to exploiters out there to 'go find' what Microsoft said was vulnerable. Therefore, 1) Notification 2) Hacker (Black Hatter) exploitation 3) Patch. Where as with McAfee, though misleading, did not raise that flag informing the Hacker (Black Hatter) community of
  • Oh jeez oh man (Score:3, Insightful)

    by Dachannien ( 617929 ) on Friday July 14, 2006 @05:05PM (#15721688)
    Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems.

    For that matter, many home users are starting to feel the same way.

    (This paranoia has been brought to you by the letters W, G, and A.)
  • OT, please disregard (Score:4, Interesting)

    by TheDarkener ( 198348 ) on Friday July 14, 2006 @05:07PM (#15721699) Homepage
    Aside from this specific instance of a security vulnerability in McAfee products, seriously. McAfee *was* a decent product. In, say, 1993. For DOS. Because it was just about the only antivirus protection you could get at the time.

    Now, you have *many* choices. I don't see why you would ever want to choose a McAfee product as any level of protection (be it firewall, antivirus, anti-spam, or whatever) - it's just that the software has evolved into this huge monolithic POS that crashes your system, slows it down ungodly, bugs you like a Japanese whore (OMGLOLIBLOCKEDAHAX0R!) and, I don't have much doubt at all that it corrupts your system far beyond what's been reported before [], just out of pure experience with anomolies on customers' computers with it installed.

    AVG. Seriously, it's much simpler, faster, and *just*doesn't*mess*with* Windows like McAfee does.
    • A better product was MS's own format program. It really doesn't matter how good or bad the virus detection software is. The ubiquity of the defective Wintel platform guarantees that those who run it will always be vulnerable. I thank them for leaving their keys in the ignition so that my own ride can remain relatively safe.

      Mod me a troll if you want; I don't care. I've had a shitty day and after a few beers it feels good to laugh at someone else's problems.

  • by BalkanBoy ( 201243 ) on Friday July 14, 2006 @05:19PM (#15721749)
    they both produce an antivirus solution which annoys me with their anal-retentiveness. Since joining my current company, I discovered they used NOD32 - as soon as I installed it, I never ever wanted to go back to either McAfee or Symantec. I ditched McAfee about 6-7 years ago, and Symantec as of a year or so ago. Couldn't be happier. NOD32 is the most unobtrusive antivirus I've ever had. Ditch McAfee and/or Symantec, get NOD32 (or something better if it exists). Give the underdog a chance.
  • by MrNougat ( 927651 ) <ckratsch@gmail . c om> on Friday July 14, 2006 @05:26PM (#15721774)
    This c|net article [] says:

    McAfee was notified of the flaw by eEye Digital Security on July 5, but at the time had already fixed the flaw in an update to its software that was released in January, Viega said. That update was meant to fine-tune the system, not fix security flaws, he said. The current version of ePO is 3.6, according to McAfee.

    "We did not realize that we had fixed a security vulnerability until eEye alerted us to the problem last week," Viega said. "We were optimizing the system, not looking for security vulnerabilities." The optimization included changing from storing data in files to storing it in memory, which removed the flaw, he said.

    So what that means is that McAfee issued a feature update in January. eEye alerted them to a flaw in July - said flaw exists in systems that do not have the January feature update applied.

    If the above is correct, and it would seem to be, McAfee did nothing wrong at all.
    • I'm a McAfee customer and responsible for the Anti-Virus and host intrusion prevention security engineering for 170,000 + workstations and servers managed by ePO. The software vulnerability disclosed today is found in ePO agents (the software that allows communication between the endpoint and the ePO server) prior to the latest release. The agent which is not vulnerable was released early this year to support some hooks into McAfee's recently released Host Intrusion Prevention (HIPS) product called "Enterce
      • My point was really this: the Slashdot article claims that eEye notified McAfee of a flaw, then McAfee fixed the flaw inside an update only labeled "feature update." According to the c|net article, McAfee released the feature update in January, eEye found the flaw in July, and it turns out that the way the January feature update changed data handling also eliminated the flaw, serendipitously.

        So, McAfee did not release the feature update after the notification from eEye, as suggested here. Now that everyon
  • As opposed to some other companies [] that are very loud about their attempts to fix their software []

    - Tash
    Vrooommm... []
  • Beware of McAfee (Score:2, Informative)

    by pobster ( 988514 )
    McAfee is possibly my least favorite piece of software - not only does it do it's job badly & slow down everything but it doesn't uninstall even vaguely properly.

    It can be a heck of a fight to actually get rid of it - see [] for details on how to root it out.

    Removing over 100 spyware progs from my friends poor PC gave less of a speedup than finally removing McAfee! Get AVG or NOD32 for antivrus, Zonealarm for firewall and Adaware SE, Spybot S & D and Spywarebla
  • by Opportunist ( 166417 ) on Friday July 14, 2006 @07:29PM (#15722424)
    Imagine malware akin to the Word/Excel/Powerpoint exploits that entertained us the last 3 months (accurately released right after the MS patchday), but targeting a buffer overflow in an AV product. The results would be devastating. EVERYONE who uses that AV software WILL be infected. Not can, but WILL.

    On-access scanners, which pretty much every AV soft uses, will scan the file as soon as you open it. If a buffer overflow is crafted (to, say, use a flaw in the scanners static unpacking algo for UPX), your AV soft will actually run the viral code.

    This can happen. And it will. It's a matter of time. I'm quite sure the malware writers are already poking at the scanners of McAfee, Kaspersky, Symantec etc. to find useable overflows.

    I think the future of AV soft is in servers, not client products. The future is in secure, chroot'ed scanning environments that examine the passing traffic, which, in turn, are constantly scanned from a second scanner outside that chroot environment, checking the integrity of the scanning subsystem inside the chroot.
  • by htns ( 979962 )
    McAfee Quietly Fixes Software Flaw

    It's not so quiet now, is it?

Disks travel in packs.