McAfee apologizes for not publicizing fix

Cthippo · 15 Jul 2006

Associated Press said:

WASHINGTON - A leading computer security company, McAfee Inc., fixed a dangerous designflaw months ago in its flagship technology for managing protective software in large organizations but did not warn businesses and U.S. government agencies until Friday.

McAfee issued a rare apology and urged customers to install updated versions of its software immediately. McAfee's antivirus software is used by more than one-third of corporations in the United States and Europe. A spokeswoman, Siobhan MacDermott, said there were no reports of victims.

The design flaw affects a component in McAfee's "ePolicy Orchestrator," used for managing security software on tens of thousands of computers across large organizations. The Defense Department announced last month it has selected the technology from Santa Clara, Calif.-based McAfee to run its computer-intrusion-prevention systems worldwide.

McAfee six months ago inadvertently repaired the flaw after an engineer made other changes to its software, said its chief security architect, John Viega. The flaw in McAfee's "common management agent" lets attackers in some cases seize control of computers to steal sensitive data, delete files or implant malicious programs.

"We didn't really realize we fixed the problem," Viega said. "We fixed one, but it was by accident."

McAfee produced a software update in January based on the changes but described it only as offering new feature enhancements.

Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems.

McAfee acknowledged the design problem Friday and urged all customers to take immediate steps to protect themselves. Days earlier, researchers from eEye Digital Security Inc. of Aliso Viejo, Calif., discovered the flaw and notified McAfee. eEye's own security software, Blink, competes against some of McAfee's products.

eEye demonstrated the attack for The Associated Press by remotely creating a file on a reporter's computer.

"McAfee apologizes for any unintended impact to customers as a result of this published vulnerability," McAfee said in e-mails to clients. "We know that our ability to protect customers quickly in the event of an outbreak depends largely on your confidence in our work."

Consumer versions of McAfee's security software, sold at retail outlets around the country, were not affected because — unlike corporate versions — they do not depend on McAfee's centralized management tool for updates to protect against the newest viruses and other threats.

"This is probably one of the most widely used corporate antivirus components," said Andrew Jaquith, the security research program manager at the Boston-based Yankee Group, an analyst firm. "It is a little ironic that products designed to protect you are actually making you vulnerable."

McAfee's chief executive, George Samenuk, complained earlier this week about vulnerabilities in software from Microsoft Corp., which competes increasingly against companies like McAfee and Symantec Corp.

"I'm not sure corporations and governments are going to trust Microsoft with their security when they have these new vulnerabilities announced every month," Samenuk told the IDG News Service, which publishes trade magazines.

Jaquith said security companies increasingly study competitors' products for design flaws. He predicted McAfee will not lose customers over the flaw. "You're not going to see a stampede for the door," Jaquith said.

eEye discovered an unrelated but equally serious flaw in May in versions of leading antivirus software from Symantec, which fixed the problem just days later.
Click to expand...

Maybe if we don't say anything no one will notice

Ramble · 15 Jul 2006

I'm not sure what to say about this one. It's a good thing that they fixed a flaw, but a bad thing they didn't tell anyone.
It certainly is a busy news day for you isn't it?

fathom17 · 17 Jul 2006

That must be a first. A developer apologising about a bug in their software.

I'm not entirelly sure why they need to apologise? Its not like they did it on purpose.

Nexxo · 17 Jul 2006

Apologies are customary for any unintentional mistake or inconvenience caused. It's like when you accidentally bump into someone and say: "sorry".

If it was deliberate, obviously no apologies would apply.

Log in or Sign up

McAfee apologizes for not publicizing fix

Cthippo Can't mod my way out of a paper bag

Ramble Ginger Nut

fathom17 What's a Dremel?

Nexxo * Prefab Sprout – The King of Rock 'n' Roll

Share This Page

Log in or Sign up

McAfee apologizes for not publicizing fix

Cthippo Can't mod my way out of a paper bag

Ramble Ginger Nut

fathom17 What's a Dremel?

Nexxo * Prefab Sprout – The King of Rock 'n' Roll

Share This Page

Useful Searches