August 1, 2006
Vulnerability researchers at eEye Digital have uncovered serious flaws in McAfee security products that could allow attackers to gain remote control of affected systems. Of course, security vulnerabilities can - and do - exist in nearly all software and security software certainly is no exception. What makes the McAfee flaws exceptional is the manner in which the vulnerabilities have been addressed thus far.
McAfee's bulletin obscures the range of affected products.
McAfee describes the flaws found in their consumer line of products as impacting McAfee SecurityCenter versions 4.3 through 6.0.22. What the bulletin doesn't mention is that the SecurityCenter is included in a wide range of products, including McAfee Internet Security Suite 2006, McAfee VirusScan, McAfee AntiSpyware, McAfee SpamKiller, McAfee Wireless Home Network Security, and McAfee Personal Firewall Plus. These products were all tested by eEye Digital and found to be vulnerable to the flaw.
McAfee minimizes the vulnerability discovered in their consumer security products, classifying it as a Medium level threat.
Commonly, when security flaws allow attackers to remotely - and completely - take over a system, those vulnerabilities are rated High, Critical, or Severe. But when eEye reported a vulnerability in McAfee's consumer products that could lead to total system compromise, McAfee assigned the vulnerability a "Medium" threat level, a rating that could potentially give users a false sense of security. McAfee's rationale - the exploit involves user interaction.
McAfee 'geek-speak' undermines the ease of exploit.
The McAfee security bulletin labels the vulnerability impact as "Arbitrary Command Execution with the assistance of an authenticated user". In plain English, this means anyone exploiting the flaw can overtake the system completely, simply by tricking the user into clicking a link or opening an attachment. Remember, this is also the basis for their designating the flaw as only a "Medium" level threat.
Just two previous to the discovery of vulnerabilities in their consumer products, McAfee silently pushed security patches for an equally serious security flaw discovered in their enterprise versions. That practice prompted eEye Digital to report in their advisory, "This creates a scenario where organizations would potentially choose to stick with their current deployments, rather than re-deploying hundreds, if not thousands, of new agents for what would appear to solely contain innocuous feature updates."
It bears repeating that security vulnerabilities can and do exist in nearly all products. The fault with McAfee isn't that security flaws were discovered in their cosumer and enterprise security products. The challenge is responsibly disclosing and remediating those flaws in a manner that puts the customer - and not the company - first.
References:
