Holes in McAfee's web site

Until last weekend, the web site of security firm McAfee contained several security vulnerabilities that are detailed in an advisory released by the Burmese security lab, YEHG, who discovered the holes.

Problems reportedly included a cross-site scripting (XSS) hole at download.mcafee.com and a flaw that allowed the source code of various ASP.NET pages to be retrieved. Whether these pages contained sensitive information remains unknown. Occasionally, however, such files can contain valuable information for attackers who are in the process of compromising a server.

Apparently, a JavaScript file at download.mcafee.com also disclosed host names in McAfee's infrastructure, and the server addresses reportedly still contained the vendor's old name, Network Associates (NAI). In 2004, the vendor's name was changed from NAI back to McAfee. YEGH said that McAfee had already been informed of the issues in February but had failed to respond. Shortly after the advisory was released last weekend, McAfee started to solve the problems. Talking to the US media, McAfee said that the vulnerabilities did not expose any of McAfee's customer, partner or corporate information at any time.

McAfee has already had to fix vulnerabilities in its pages before. In 2009, a particularly embarrassing vulnerability affected McAfee's Secure security portal, which was vulnerable to cross-site request forgeries (CSRF). McAfee Secure is a service that allows customers to check their own site or online store for security holes and for conformity with the PCI DSS standard which is important for credit card transactions.

See also:

• Intel's acquisition of McAfee now complete, a report from The H.
• European Commission imposes conditions on Intel's take-over of McAfee, a report from The H.
• FTC gives its blessing to Intel's acquisition of McAfee, a report from The H.
• Intel acquires McAfee, a report from The H.

(crve)