The Proxy Update

Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.

Tuesday, March 29, 2011

McAfee's Website Full of Security Holes

The TechEYE.net is reporting that McAfee's corporate website is riddled with vulnerabilities. It must be a bit of an embarassment for McAfee and new owner Intel, that the YGN Ethical Hacker Group reported the McAfee website is full of security mistakes that could lead to cross-site scripting and other attacks. These holes were reported to McAfee last month.

From the TechEYE.net article:

In addition to cross-site scripting, YGN discovered numerous information disclosure holes with the site including seeing an internal hostname and finding 18 source code disclosures.
The bit of the site that could be used for XC scripting attack hosted some of McAfee's files for downloading software.
If only there were some software which could scan a site to detect such errors.
McAfee peddles a McAfee Secure service to enterprises to make sure their their customer-facing websites are secure. McAfee Secure scans a website daily for "thousands of hacker vulnerabilities and if a site gets McAfee's "high standard of security," then users of McAfee anti-malware products see a "McAfee Secure" label in their browsers.
The security product claims to test for personal information access, links to dangerous sites, phishing, and other embedded malicious dangers that a website might unknowingly be hosting.


Apparently problems with security on McAfee's website aren't new.

Actually McAfee's website is regularly found to be lacking in security. In 2008 it was found to be suffering from cross-site scripting (XSS) errors by security outfit XSSed.
In 2009, white-hat hacker going by Methodman published proof-of-concept attacks against websites kc.mcafee.com and mcafeerebates.com and in April 2010, the McAfee.com community forums were defaced via an XC scripting attack.


One certainly hopes McAfee puts more security in their product than they do in their website.
Posted by at

1 comment:

Timothy C. said...

McAfee has since issued this announcement:


On Monday March 28, 2011, various online news outlets reported on vulnerabilities in McAfee Web sites. McAfee is aware of these vulnerabilities and resolution is underway. PLEASE NOTE that these vulnerabilities do not expose any of McAfee's customer, partner or corporate information.
Vulnerability Details
• Cross Site Scripting in download.mcafee.com: could allow attacks that spoof the McAfee brand by presenting a URL that appears to direct the user to a McAfee Web site, but in fact directs elsewhere.
• Information disclosure on www.mcafee.com: gives detail on an internally-used application to measure Web traffic; does not disclose any proprietary or customer information.
• Information disclosure on download.mcafee.com: provides access to the source code for some of the interactive pages on our Web site; does not disclose any proprietary or customer information.
McAfee has not seen any malicious exploitation of the vulnerabilities. We are rapidly resolving these vulnerabilities and are conducting a comprehensive review of the McAfee Web site.

March 29, 2011 at 2:32 PM

Post a Comment

Subscribe to: Post Comments (Atom)