McAfee's website suffers from a number of vulnerabilities that could allow cross-site scripting (XSS) attacks and information disclosure, researchers warned this week.
The YGN Ethical Hacker Group, a Burmese-based web security and penetration testing firm, published details of the flaws on the Full Disclosure mailing list Monday.
The group went public with the bugs after reporting them to McAfee on Feb. 10, according to the post. The security giant on Feb. 12 told the group it was working on a fix, but the issues remain unresolved.
McAfee, in a statement sent to SCMagazineUS.com on Monday, acknowledged the flaws and said it is still working to fix them.
In a worst-case scenario, the company said, the XSS vulnerability could allow attackers to offer up a URL that appears to point to a McAfee website but really leads elsewhere.
Kevin Fernandez, a researcher who co-founded the security watchdog XSSed, told SCMagazineUS.com in an email Tuesday that the flaw is “quite dangerous” and could be abused by phishers to trick users into downloading viruses.
The information disclosure bugs could provide access to the source code of McAfee's web pages or an internal application used to measure web traffic, McAfee said. They do not provide access to any customer information.
“McAfee is aware of these vulnerabilities and we are working to fix them,” the security giant said in the statement. “It is important to note that these vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities.”
Fernandez, meanwhile, said McAfee has patched XSS vulnerabilities quickly in the past, so there is no reason why the security firm should have taken more than a month to fix this one.
In its statement, McAfee admitted it has taken longer than usual to address the issues.
“Whenever a vulnerability is reported, McAfee strives to address it as soon as possible,” the company said. “We are investigating the cause of the delay and will adjust our processes if necessary to prevent reoccurrence.”
This is not the first time McAfee's web pages have been riddled with vulnerabilities. And researchers also have discovered holes in sites belonging to other security companies, including Kaspersky Lab, BitDefender, Symantec and Intel.
A March report from White Hat Security, makers of website security tools, said that the average website contains "serious" vulnerabilities nine months out of the year.
