Feeds

McAfee website visited by plague of security locusts

Eradication proves difficult

Internet Security Threat Report 2014

McAfee's website has been has been hit by at least three nasty bugs that left its customers susceptible to phishing and other types of scams. At least one remained unfixed at time of writing, more than 24 hours after it was first disclosed.

The most serious vulnerability, ironically enough, affected McAfee Secure, a service that certifies the security of sites that conduct ecommerce and other sensitive transactions. Mike Bailey of the Skeptikal.org blog found the site suffered from a CSRF, or cross-site request forgery, that could have allowed attackers to take control of customer accounts.

McAfee has already fixed the bug, but during the five weeks that Bailey monitored it, the site continued to bear the McAfee Security logo, raising questions about just how valuable such a mark is. McAfee Secure, after all, is designed to pinpoint precisely these types of vulnerabilities.

It also shines a bright light on the processes McAfee takes to ensure its websites are free of such hazards. According to Bailey, the vulnerable application was not designed with the benefit of an SDL, or secure development lifecycle, which builds products from scratch to make sure they follow security best practices. He also said that prior to the bug being reported, McAfee "had never performed a full code review for web vulnerabilities."

McAfee spokesman Joris Evers said he didn't know whether the application followed an SDL, but in any event, he said the company follows strict practices to make sure its sites are safe.

"Obviously, we have processes in place that check our websites for vulnerabilities, and unfortunately, it appears a couple slipped through. We will look at the processes we have to make sure that if they're broken, they get fixed."

Bailey's report coincided with the discovery of a separate vulnerability on a part of McAfee's website that handles customer rebates. Lance James, co-founder of Secure Science Corporation and author of Phishing Exposed, created a proof-of-concept link that showed how phishers could use the vulnerability to create authentic-looking spoof pages that bear McAfee's domain name and secure sockets layer certificate while directing visitors to pages that try to steal their personal information.

The vulnerability was publicly disclosed on Monday, but at time of writing, more than 24 hours later, the hole remained unpatched.

Evers, the McAfee spokesman, said the company was "very close" to squashing the bug.

A separate batch of bugs in McAfee's website were reported late last week by an independent security group that goes by the name Team Elite.

Of course, no website or software is free of security bugs, but the issue here goes beyond that. First, consider the sheer number and then remember that McAfee is a security company, so the bar for the company is higher. Second, it's time McAfee adopted comprehensive SDLs for its products. That would go a lot farther than a logo in ensuring its considerable base of customers is secure. ®

Update

On late Tuesday, McAfee took the unfixed part of its website offline while the vulnerability was being repaired.

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.