Skip to comments.McAfee Security Programs May Expose Data
Posted on 08/01/2006 10:15:51 AM PDT by VRWCtaz
Consumer versions of McAfee Inc.'s leading software for securing PCs is susceptible to a flaw that can expose passwords and other sensitive information stored on personal computers, researchers said Monday.
The vulnerability affects many of McAfee's most popular consumer products, including its Internet Security Suite, SpamKiller, Privacy Service and Virus Scan Plus titles, said Marc Maiffret, chief hacking officer at eEye Digital Security Inc., a competing maker of security products.
McAfee spokeswoman Siobhan MacDermott confirmed the vulnerability and said software engineers were testing a fix. She said officials expected to release the patch Wednesday using a feature that automatically updates McAfee products over the Internet. The flaw does not affect 2007 versions of McAfee products, which were released Saturday, she said.
Maiffret said he has found a way to connect to PCs running the flawed McAfee products over the Internet and make them run code of his choosing. The flaw, if exploited, would make it possible for a criminal to track bank account numbers, and access, modify and delete sensitive files and do other damage on machines running the McAfee products, he said.
The reported flaw came on the same day that McAfee posted an item on its Web site taking a swipe at Microsoft Corp., whose products increasingly compete with the offerings of McAfee, Symantec Corp. and other security companies. It warned that code had been released that exploited flaws in a feature used to automate certain administrative tasks in Microsoft's Windows operating system.
"Microsoft products have always been an attractive target for hackers and malware authors," according a posting on the McAfee Web log.
Maiffret's company, which in the past has discovered embarrassing flaws in products sold by Apple Computer Inc., Microsoft, Symantec and McAfee, said he was withholding technical details of Monday's vulnerability to prevent criminals from learning how to exploit it.
The flaw comes two weeks after Aliso Viejo, Calif.-based eEye disclosed a hole in McAfee program for protecting business computers. In that case, Santa Clara, Calif.-based McAfee said it had fixed the defect three months earlier but did not warn customers about it until eEye made it public.
In May, eEye uncovered a similarly dangerous flaw in security software by Symantec.
Neither Maiffret nor McAfee said they were aware of any attacks that target the flaw disclosed on Monday.
"The vulnerability isn't public, so you shouldn't see exploits for it," Maiffret said, adding that users of McAfee products should make sure they are configured to automatically check for updates each day.
an = any
Thank you. I do have it. Great, we buy a security package to prevent ID theft AND the package endangers us to ID theft.
I want a refund.
I got mine for free from being a comcast customer. I set it to update as often as possible.
The devil is in the details. The latest Mcafee release, the one they keep telling you is new and improved and that you should upgrade to(an annoying pop-up whenever you restart the computer), will not install if you have competing products installed.
By competing I mean Ad-Ware/Internet firewalls etc. I always check the boards before I install any new upgrades. Seems their latest upgrade will also freeze your computer, remove other ad-ware/firewall programs or if you refuse to answer yes to the "Do you want to remove these programs", you will be left without virus protection and a computer that freezes.
My advice is not to upgrade your Mcafee. Just stick with your 10.0 version, they still have to update the virus def. files.
They're forcing upgrades now. My virus subscription still has 2 months to go, and updates won't install unless you upgrade to the new version, which is still crapping out everybody's computer.