McAfee gets lucky with security fix
McAfee has fixed a serious security hole in its software by accident.
According to security specialists eEye Digital, McAfee’s ePolicy Orchestrator for monitoring and administrating McAfee’s enterprise software products was flawed with a vulnerability in its Framework Service component.
The flaw, if successfully exploited, would allow an attacker to use the system so that rather then send out configuration changes to a specific file on the client software, any code could be sent out and written anywhere on the target systems.
However, in a subsequent update to the product, McAfee introduced a system change so that rather than writing these configuration changes to a file, the commands were held in memory. In doing so, McAfee fixed the flaw, even though ultimately the update was issued to improve performance rather than fix bugs.
McAfee’s update was released in January, but having subsequently been aware of the flaw which it discovered independently of eEye Digital, it sent emails to its corporate customers on Friday urging them to upgrade.
eEye Digital’s Chief Hacking Officer Marc Maiffret criticised McAfee over the way it has handled this. He said companies should clearly distinguish between general software updates and security fixes. Although McAfee claims that the fix in this particular case was inadvertent, Maiffret warned that many enterprises operate on an ‘if it ain’t broke, don’t fix it’ basis. Companies may choose not to apply general software updates often when it involves the redeployment of every client on the network.
‘It is … important for software vendors to create a separation of security and features when providing updates. In this case, fixing an extremely critical vulnerability without the proper notification is a disservice to customers,’ he said.
All McAfee customers using versions of McAfee Common Management (EPO) Agent below 220.127.116.118 should upgrade to the latest version now.