McAfee's products threaten desktop security
A hole has been discovered in McAfee's security products for home users that could allow malicious programs to sneak onto computers. The flaw is located in Security Center, which among other functions, informs users about the security status of their PC. In doing so, the software uses Internet Explorer and several ActiveX controls. Clearly a hole exists in these controls through which malicious code can be planted on the computer and executed during a visit to a manipulated website. The user must actually visit the site himself, however, which is why the manufacturer is categorizing the danger of a successful attack as only "moderate". eEye, which discovered the hole, sees the potential threat as much greater and has assigned a rating of "high" to the problem. This is because it takes only one ill-considered click on what might seem like an interesting link in an email to redirect the user to the rigged website.
The flaw affects Security Center versions 4.3 through 6.0.22, as implemented in McAfee's Internet Security Suite 2006, Wireless Home Network Security, Personal Firewall Plus, VirusScan, Privacy Service, SpamKiller and AntiSpyware. To fix this problem, Security Center version 7.0 has now been released, and is being distributed via the automated updater. Enterprise products are not affected.
- Upcoming Advisories, Advisory from eEye
- McAfee SecurityCenter 7.0 or higher fixes vulnerability, Advisory from McAfee