The Inquirer-Home

McAfee admits to flaws in its Saas Total Protection

Updated Allows execute code control and spam distribution
Thu Jan 19 2012, 12:18

SECURITY VENDOR McAfee has admitted there are two security flaws in its anti-malware security as a service Saas for Total Protection product.

One of the bugs means an attacker could use an ActiveX control to execute code and the other involves potential exploitation of its 'rumour' technology. The second flaw could allow an affected PC to work as an open relay to send out spam.

Dave Marcus, director of security research at McAfee said, "Two issues in Saas for Total Protection have arisen in the past few days. We have mitigating factors already in place that reduce risk, and a patch is coming to remediate any additional risk to our customers."

Zero Day Initiative exposed the first defect and said, "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of McAfee Security-as-a-Service. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file."

Customers will receive the patch automatically if they don't have it already, because the firm said it would be available on 18 or 19 January. Marcus confirmed that there is "no evidence of loss or compromise of any customer data in relation to either of these issues".

Although both issues allow malicious activity to take place the firm said that neither attack allows access to customer data. A patch released in August last year fixed a problem similar to the ActiveX vulnerability and effectively reduced the risk to zero by cutting off the exploitation path.

McAfee said, "Customers should be aware that McAfee released a patch last August that effectively made the vulnerability inaccessible. We do not believe this issue poses any risk to existing customers due to the mitigations already in place."

The second flaw has been exploited by spammers to use affected machines to increase the amount of spam being distributed, the firm admitted. The patch will simply repair this flaw to shut down this capability.

Updated
McAfee has announced the patch has started to roll out to all Saas Total Protection users. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Coding challenges

Who’s responsible for software errors?