Consumer versions of McAfee’s software for securing PCs are susceptible to a flaw that can expose passwords and other sensitive information stored on personal computers, researchers have said. The vulnerability affects many of McAfee's consumer products, including its Internet Security Suite, SpamKiller, Privacy Service and Virus Scan Plus titles, Marc Maiffret, chief hacking officer at eEye Digital Security a maker of security products, said.
McAfee spokeswoman Siobhan MacDermott confirmed the vulnerability and said software engineers were testing a fix. She said officials expected to release the patch Wednesday using a feature that automatically updates McAfee products over the Internet. The flaw does not affect 2007 versions of McAfee products, she said.
The flaw, if exploited, would make it possible for a criminal to track bank account numbers, and access, modify and delete sensitive files and do other damage on machines running the McAfee products, Maiffret said.
The flaw comes two weeks after eEye disclosed a hole in McAfee program for protecting business computers. In that case, McAfee said it had fixed the defect three months earlier but did not warn customers about it until eEye made it public. "McAfee had silently fixed this vulnerability, prior to the discovery by eEye", it noted.
But it added, "It is good for any software company to be proactive in trying to secure their software. However, it is equally important for software vendors to create a separation of security and features when providing updates. In this case, fixing an extremely critical vulnerability without the proper notification is a disservice to customers."
Users who were not informed that McAfee’s update fixed a security bug might "choose to stick with their current deployments, rather than re-deploying hundreds, if not thousands, of new agents for what would appear to solely contain innocuous feature updates", eEye Digital warned.
|
