Application security, Patch/Configuration Management, Vulnerability Management

McAfee could patch widespread flaw as early as tomorrow

A patch addressing a flaw in consumer versions of McAfee software is expected to be released Wednesday.

The vulnerability – discovered by competitor eEye Digital Security – allows for remote code execution and affects several McAfee products: Internet Security Suite 2006, Wireless Home Network Security, Personal Firewall Plus, VirusScan, Privacy Service, SpamKiller and AntiSpyware, according to the SANS Internet Storm Center.

According to a McAfee security bulletin, the vulnerability – rated medium – affects SecurityCenter versions 4.3 through 6.0.22. As one fix, the anti-virus giant recommends users upgrade to the recently released SecurityCenter 7.0.

McAfee said in the bulletin that engineers were performing quality assurance testing in advance of an expected patch release Wednesday.

eEye, meanwhile, rated the flaw critical because "it could be used as part of a wide-based internet attack," Mike Peterbaugh, vice president of marketing, said today. eEye researchers found the flaw – the second such McAfee bug discovered by the security company in a month – as they were analyzing how McAfee's anti-virus solution integrates with eEye's client security product.

McAfee kept its rating at medium because the vulnerability requires user interaction.

"This attack requires the end user to perform certain actions in order to be exploited," according to the security bulletin. "For example, receiving an email from an untrusted source and clicking on a URL. A successful exploit of the security flaw would allow an attacker to remotely execute arbitrary code on the machine running the indicated software."

eEye exposed another McAfee flaw last month, that one affecting the anti-virus giant's ePolicy Orchestrator (EPO). That bug could allow attackers to compromise systems and execute malicious code. EPO, one of the most widely deployed enterprise security solutions, runs from a centralized location and lets administrators enforce policy, deploy agents and monitor security.

The vulnerability was fixed in February, but at the time, McAfee passed off the update as containing new features, not repairing a security hole, security experts said. As a result, many organizations chose not to update, although experts do not think the flaw affected any users.

Later, McAfee came clean on the vulnerability and urged customers to update their solution after researchers from eEye Digital Security exposed the problem. McAfee apologized to customers in an email.

"McAfee's key priority is the security of its customers and we take the quality of our software very seriously. McAfee has been extremely proactive in this area and has a dedicated team run by a leading industry expert that pushes tools and knowledge throughout the product development organization," the company said today in a statement.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.