McAfee's Website Full of Security Holes

Julie188 writes "The McAfee.com website is full of security mistakes that could lead to cross-site scripting and other attacks, researchers said in a post on the Full Disclosure site on Monday. The holes with the site were found by the YGN Ethical Hacker Group, and reported to McAfee on Feb. 10, YGN says, before they were publicly disclosed to the security/hacking mailing list. Embarrassing? Yes, especially given that the company aggressively markets its own McAfee Secure service that is supposed to assure consumers that McAfee has scanned a website and found it to be safe."

Your own dog food...

[Locke2005]

Eat it!

Re:

[WrongSizeGlass]

So McAfee's website is as secure as MySQL.com? [slashdot.org] This intertubes thing just keeps getting better and better.

Re:

[PsyciatricHelp]

Which would be as secure as RSA.

Mod parent up!

[khasim]

McAfee markets products to scan websites. At least use them on your own site!

If the scans didn't turn up the vulnerabilities ... well it looks like you have a problem with your products.

Re:

[BagOBones]

I created a post on this already (probably while you were posting this) they DO scan the site, and it is McAfee SECURE CERTIFIED. Shows what it is worth.

Re:Mod parent up!

[jackdub]

Quis custodiet ipsos custodes?

Re:

[kyuubiunl]

McAfee secures on the " si fecisti nega! " Principle.

Re:Mod parent up!

[Locke2005]

Apparently so does Bart Simson: “I didn't do it, nobody saw me do it, there's no way you can prove anything!”

Re:

[Locke2005]

Can't you just say "Who watches the watchers?" like a normal person?

Re:

[kyuubiunl]

Maybe it was an homage to Terry Pratchett? (Night Watch, Commander Vimes)

Re:

[Anonymous Coward]

What good is all those expensive classes learning a dead language when you can't use said language to look like an arrogant dick on the internet?

Re:

[mwvdlee]

Latine scribere quivis Google translate...
http://translate.google.nl/#en [google.nl]|la|who%20watches%20the%20watchmen

Re:

[grcumb]

Can't you just say "Who watches the watchers?" like a normal person?

Quid?

Re:

[Bacon Bits]

No, this is SlashDot.

Re:Mod parent up!

[Anonymous Coward]

Posting AC for obvious reasons...

At my former employer, I was in charge of managing the McAfee Secure scans (but not remediation) for all of our external sites. The maddening thing for me was that we got a ridiculously large amount of time to remediate any vulnerabilities before the Certified logo would show any issues (30 days comes to mind). Additionally, the scans only took place once per month. You could have a vulnerability out there for up to 60 days without ever getting addressed and everything shows up as fine and dandy, McAfee Secure Certified (tm). IMHO this is unacceptable and gives a false sense of security to the end-user. It also makes it damn hard to motivate the people in charge of patching and shoring up their piss-poor system admin practices to actually get off their damn asses and do something about it. A typical conversation after discovering a vulnerability went something like this:

Me: McAfee Secure found these problems. *Sends scan report*
Joe Sixpack SysAdmin: Meh, I've got a whole month before I need to remediate these issues, so it's not really a vulnerability yet. I'll wait until day 29 and a half to look at it, then freak out and point the finger back at you when I can't get it fixed in under 10 minutes.
Me: *facepalm*

Needless to say, when I see a McAfee Secure Certified logo on any site, I basically ignore it at best or altogether avoid the site at worst. It's a joke. Only less funny.

On the positive side, the scan reports are very pretty. A hell of a lot better than McAfee Vulnerability Manager's sh*t reports.

Re:

[Anonymous Coward]

I'm also a former employee and posting as AC for anonymous reasons. Note that all but two of the vulnerabilities are from the download site. That site is comprised of a number of servers that exclusively host the DAT files and updates. Not the website itself. The download servers are also supported by a development team that don't know anything about web security so it doesn't suprise me in the least that their site is the one with the vast majority of issues.

Thing is, McAfee new about the vulnerabilities o

Re:

[geoffaus]

I wouldnt trust McAfee anyway - they havent made good software in a long long time At the IT services company I work for their software is banned

Re:

[aix tom]

I guess they are kinda like consultants in that regard. They can find problems pretty quick, but they have no idea how to fix them. ;-P

Re:

[Mr.FreakyBig]

Where I work, its called Flying Our Own Jets (FOOJ). No, we don't make airplanes.

Re:

[Belial6]

Do they offer training on that? They just might get people to pay them for the opportunity. Of course, one the training is over, they will never leave their home, so the you'll need to train a whole new batch.

Re:

[johnsnails]

I thought it was called... eating your own dog food?

Re:

[mwvdlee]

I wonder what they call it in the porn industry.

Re:

[0racle]

They might.

Re:

[InsertCleverUsername]

But they make really awful dog food. I can see why they'd avoid it.

Re:

[grcumb]

Eat it!

This is McAfee we're talking about. You're looking at the wrong end of the dog.

Nice

[mrbcs]

Yup, there's some excellent credibility for you. Now can we get Norton to fall on their swords too?

McAfee and Norton. Are these not the two worst software companies?

Re:

[Anonymous Coward]

McAfee and Norton. Are these not the two worst software companies?

This being /. , someone's bound to mention Microsoft any minute now...

Re:

[cobrausn]

Well, you just did. Does that count?

Re:

[ArsenneLupin]

Does that mean that this thread is officially over now?

Re:

[cobrausn]

... No?

Re:

[mrbcs]

Why would anyone steal that shit?

Re:

[Desler]

The only thing worse are the people who code Slashdot.

minor

[Lord Ender]

These are all minor security problems... some of which are so minor one could debate whether they should even be classified as security problems at all. Really, this is much ado about little. Any big website will have things like this. Even security experts make mistakes, and most of the staff at McAfee, as with all other big companies, aren't security experts.

Re:minor

[sconeu]

most of the staff at McAfee, as with all other big companies, aren't security experts

But the thing about McAfee is that they *do* market themselves as "security experts". Therefore they should be held to a higher standard.

Re:

[$RANDOMLUSER]

But the thing about McAfee is that they *do* market themselves as "security experts". Therefore they should be ridiculed as the useless twats they always have been.

Much as I hate "FTFY" posts, I had to Fix That For You.

Re:

[Lord Ender]

Show me where the people who manage McAfee's marketing web site are referred to as "security experts." I'll wait.

Re:

[sqlrob]

Close enough? [mcafeesecure.com]

Re:

[Lord Ender]

A scan? Are you kidding? Scanning can prove the existence of security problems; it can never prove that none exist. This is like IT 101, kid.

Re:

[flosofl]

You seem to have a lack of understanding of how enterprise IT/IS actually works. You seem to think people in the marketing dept actually admin the web services for the company? In most modern medium to large (to ginormous) companies, there is a group in IT that is specifically tasked with managing the company's web presence including servers and software. A security group determines policies and practices that the Web group must follow. That same security group vets the services *before* going live and cont

Re:

[Lord Ender]

You seem to have a lack of understanding of...

That is a lie.

You seem to think [some lie you made up]

Citation needed. Can't back up your lies?

I actually work in network security

So do I. And because I work in a place larger than a popsicle stand, I know that minor security issues like this are par for the course in marketing material. I also know that security analysis is expensive. And to top it off, I know that organizations, even security organizations, don't do well if they waste money on minor issues th

Re:

[donaggie03]

Why are you so adamant to absolve McAfee of their own stupidity? If a car is advertised as the fastest car ever, then that's ok because their marketing department isn't full of mechanical engineers?

Re:

[tnk1]

McAfee shouldn't be absolved of their mistakes, but those mistakes should be put into perspective.

If McAfee did happen to make an awesome vulnerability checker (okay, I'll wait while you stop laughing....), then the fact that they simply did not use it on their own site doesn't mean that the product fails, it means that they don't understand how failures in their public presentation can be damaging.

Of course, I don't know if the site checker fails, because I won't go near a McAfee product unless my workplac

Re:

[MobileTatsu-NJG]

Why are you so adamant to absolve McAfee of their own stupidity? If a car is advertised as the fastest car ever, then that's ok because their marketing department isn't full of mechanical engineers?

Welllll if you'll indulge me while I play Devil's Advocate for a moment...

It's more like Starbucks claiming that they make the best coffee ever, then having it scientifically proven that their tea is terrible.

It is humourous, but unless I'm really mistaken about the products they offer (and since their site is down I accept the risk that I may be corrected on this), you cannot install McAfee on a weberver and expect it to tell you that a cross-scripting vulnerability exists.

Again, this is just me being Devi

Re:

[MobileTatsu-NJG]

Do you mean like a cross-site scripting exploit?

Re:

[timeOday]

But the thing about McAfee is that they *do* market themselves as "security experts". Therefore they should be held to a higher standard.

Go ahead and hold them to whatever standard you like. The fact is, computer security in general is completely unmanageable. ALL solutions fix a certain set of problems while not fixing (or creating) others.

Everything I have seen points to an inescapable conclusion: you cannot protect any network of significant size from intrusions and leaks. Nobody has accomplished

Re:

[HungryHobo]

If they were just another big company that would be fine but when they can't even secure themselves while they're selling the service of securing others it deserves all the ridicule that the people here can dish out.

I can understand other companies not considering security to be a number 1 concern, they've got other things to worry about but a security company has no such excuse.

Re:

[zonky]

XSS is *not* a minor security problem.

http://en.wikipedia.org/wiki/BeEF_(Browser_Exploitation_Framework) [wikipedia.org]

http://en.wikipedia.org/wiki/Cross-site_scripting#Exploit_scenarios [wikipedia.org]

Re:

[mysidia]

These are all minor security problems... some of which are so minor one could debate whether they should even be classified as security problems at all.

You think source code disclosure and XSS are MINOR security problems? Really?

Re:

[Lord Ender]

Yes. Slashdot's source code is "disclosed." Do you call that a threat?

Is XSS minor? Yes, this particular variety is the minor end of the spectrum. There are far more serious problems which are very common with web apps (injection, authentication, etc.).

Re:

[mysidia]

Yes. Slashdot's source code is "disclosed." Do you call that a threat?

First of all, no it's not. Slashcode's source code is disclosed, because it is an open source project. And Slashdot has code in common, but they aren't 100% equal.

Second, that's intentional disclosure, meaning the code has probably been reviewed to ensure it doesn't contain anything sensitive. There's a big difference between what goes in an intended disclosure and accidental leak.

Is XSS minor? Yes, this particular variety is

Re:

[Lord Ender]

So some of slashdot's code is available. The same is true of McAfee's marketing website. Minor.

You call XSS in a marketing site 'critical.' I would love to know what you don't think is critical. I would bet real money that such a problem is nowhere near the high end of the spectrum of most companies' security threat profiles.

what is the deal with intel

[jcombel]

it seems to me that intel has their stuff together on most things (market domination, monopolistic practices, aggressive vendor bullying, and making decent chips once in a while)

i never cared for mcafee's products, but i thought about giving them another shot: if intel thinks it's worth money, maybe it is, right?

yet every time i hear the name it's something bad. it was just last year that the false-positive on svchost.exe took down hospitals, schools, and even a few thousand of intel's own P

Those holes have purpose...

[bogaboga]

Those 'holes' are intentionally left there. They are for demo purposes as McAfee needs to constantly improve their product. Trust me.

They learn a lot from what users good intentioned and bad do via their site.

McAfee SECURE CERTIFIED

[BagOBones]

Don't worry, I checked and the site is McAfee SECURE CERTIFIED
https://www.mcafeesecure.com/RatingVerify?ref=www.mcafee.com [mcafeesecure.com]

Re:

[navyjeff]

Does that make it a tautology? "It's secure; we even checked it ourselves."

Re:

[machine321]

They tried to teach them, but they couldn't be taut.

Re:

[Americium]

More like McAfee infected. One time I got McAfee on my computer, no idea how it happened, but it interfered terribly and was probably one of the hardest things to get rid of.

Vulnerable != Unsafe

[nuckfuts]

the company aggressively markets its own McAfee Secure service that is supposed to assure consumers that McAfee has scanned a website and found it to be safe

There is a difference between whether a website is vulnerable to attacks and whether it's unsafe to view. If I'm going to open a page in my browser, I care whether or not the page is fact dangerous to view at that point in time, not whether it could potentially be made dangerous.

This is not to say I don't give a damn about XSS vulnerabilities and the like. It's simply a different (albeit related) topic.

Re:

[BagOBones]

Part of getting the McAfee SECURE Certification IS passing a vulnerability check, they pass there own check, so clearly their check isn't that good.

"With McAfee SECURE for Websites, your site is scanned daily for thousands of hacker vulnerabilities. McAfee, the largest dedicated security company in the world, does this remotely, without any need for expensive or complicated hardware or software. Once certified to this high standard of security, McAfee SECURE customers showcase their safety status by display

Re:

[LodCrappo]

"There is a difference between whether a website is vulnerable to attacks and whether it's unsafe to view. If I'm going to open a page in my browser, I care whether or not the page is fact dangerous to view at that point in time, not whether it could potentially be made dangerous."

Sort of like saying you're perfectly happy to drive over bridges that have a decent chance of collapsing, so long as they haven't collapsed at that time? Isn't the issue that a site which is perfectly safe to browse but vulnerabl

Re:

[nuckfuts]

Sort of like saying you're perfectly happy to drive over bridges that have a decent chance of collapsing, so long as they haven't collapsed at that time?

No, it's not like that at all. A bridge that has "a decent chance of collapsing" is unsafe.

Isn't the issue that a site which is perfectly safe to browse but vulnerable to attack can become unsafe to browse in an instant,

In the case of web browsing, my main concern is whether a page is safe at the instant I view it, not whether it might become unsafe at a later time.

... just as the unsafe bridge works fine.. until it doesn't?

Again, I'm drawing a distinction between unsafe and vulnerable. The "unsafe bridge" is unsafe - period. I do not want to cross it, even if it's still "working fine".

If you want a bridge analogy, think of it like this: A bridge has a removable metal pin underneath. If so

Re:

[LodCrappo]

Maybe it's just semantics. I'd consider most website vulnerabilities to be "unlocked pins" in your example. The reality is that unlike a bridge that has just fallen over, a website which has just been compromised is not easy to spot. I don't trust any tool to detect a compromised website instantly, therefore the potential for compromise seems the most reliable indicator of danger. As for whether McAfee does an acceptable job of any of this, I doubt it.

The old days of McAfee's "secure" FTP site

[Nimey]

Back about ten years ago, you used to be able to log into McAfee's FTP server and download their latest for-pay products. IIRC the username was something like "mcafee" and the password was "321". My former boss was a warez puppy and I gather this was commonly known on the scene.

Re:

[Nimey]

What leads you to believe that?

Misdirection

[SuperKendall]

How do you know the McAfee home page is not one giant honeypot? After all they know hackers will be going after them. That's what I'd do if I were them...

Re:

[Bobfrankly1]

and virtualization being what it is, they could suffer an attack, log all the data, and swap in an HA clone in a matter of seconds. With appropriate monitoring it would be automated.

Re:

[stumblingblock]

and virtualization being what it is, they could suffer an attack, log all the data, and swap in an HA clone in a matter of seconds. With appropriate monitoring it would be automated.

does ANYBODY believe that? do you suppose that they suggest this to corporate customers?

Re:

[TheRedDuke]

Pfft. Why would you ever use a virtual machine for security when you make the FINEST security products in the world?

Re:

[hercubus]

How do you know the McAfee home page is not one giant honeypot? After all they know hackers will be going after them. That's what I'd do if I were them...

Never attribute to competence that which can be adequately explained by stupidity. [ Krugman's Razor ]

Re:

[Bobfrankly1]

How do you know the McAfee home page is not one giant honeypot? After all they know hackers will be going after them. That's what I'd do if I were them...

Never attribute to competence that which can be adequately explained by stupidity. [ Krugman's Razor ]

And we all know what happens when you use someone else's razor...

Re:

[ReedYoung]

How do you know the McAfee home page is not one giant honeypot? After all they know hackers will be going after them. That's what I'd do if I were them...

Never attribute to competence that which can be adequately explained by stupidity. [ Krugman's Razor ]

And we all know what happens when you use someone else's razor...

Depends on whom you use it.

Re:

[virgnarus]

I'm pretty confident that the McAfee home page is a honeypot luring in the unwary...

Re:

[ReedYoung]

I'm pretty confident that the McAfee home page is a honeypot luring in the unwary...

I wonder why you're so confident of that, but that story seems like good marketing.

Re:

[islon]

How do you know the McAfee home page is not one giant honeypot?

Because it tastes like shit...

Re:

[Just Some Guy]

That's what I'd do if I were them...

No you wouldn't. If you truly became McAfee, you'd run around screaming "LINUX IS DANGEROUS WITHOUT ANTIVIRUS! WE SLOW YOUR COMPUTER SO YOU DON'T HAVE TO! I EAT PAINT!"

Which is still an improvement over what you'd do if you were Norton.

Curious

[Bobfrankly1]

In hockey, the goaltender will intentionally "show" a spot as open, usually the five hole (the space between the legs). The player with the puck, seeing this, will often shoot for the five hole, only to have the prepared goalie close the five hole and stop the puck.

McAfee being what it is, could it be that they are "showing" these security holes in an attempt to goad the black hats into trying their latest tricks and toys on McAfee, who could in turn use that data to reenforce their protection software?

Re:

[Bobfrankly1]

lol, check the time stamps on those comments and compare to mine. We all posted at approximately the same time. Shame on me for taking extra time to re-read my comment and make minor edits.

They've been sloppy and lazy for years

[Twon]

About 5 years ago, I contributed to a paper that brought up a particularly brain-dead thing they did with the auto-update mechanism for their then-current consumer version of VirusScan:

http://www.usenix.org/events/hotsec06/tech/full_papers/bellissimo/bellissimo.pdf [usenix.org]

Long story short -- their ActiveX control exported a wrapper around the Win32 ShellExecute API. What could possibly go wrong? The XSS thing in their help here seems to be of the same "do the simplest thing, damn the consequences" variety; it looks

Re:

[Twon]

That fits my limited observations pretty much exactly. We looked at their enterprise stuff during the same project and were completely confused why the straightforward, correct stuff over there didn't make it into the consumer version.

Rather unsurprising!

[pyrr]

McAfee's business model has been "security through rendering your computer nearly inoperative" for over a decade now, anyway. Just wait until the website gets pwned and stops working, and it will have been successfully "protected".

I don't know about you...

[CCarrot]

...but I love the smell of irony in the morning...afternoon...whatever.

It kinda reminds me of that NOMEX factory that burned down...well, isn't that odd. I remember hearing about that at a safety meeting a couple of years ago, but now I can't find any links to post, none at all...was it all a dream? A deliciously ironic dream?

(I could only wish my dreams were more exciting than creating my own safety meetings in my head...*sigh*)

Umm.. hello?

[NitroWolf]

This is news? McAfee hasn't been secure or even any good at anti-virus since... like... the DOS days. If they ever were. Wern't they the ones who put out a DOS anti-virus kit? Or am I thinking of someone else? If it's someone else, then McAfee has always sucked.

Re:

[NitroWolf]

Well, take your pick:

1) I was making the point that McAfee hasn't been worth a shit since before the turn of the millienium OR they haven't ever been worth a shit.
2) Aggravating douchebags like yourself who aren't smart enough to figure out number 1.

hubris

[godel_56]

Embarrassing? Yes, especially given that the company aggressively markets its own McAfee Secure service that is supposed to assure consumers that McAfee has scanned a website and found it to be safe.

HBGary, is that you?

How I live with it...

[dbcad7]

I'm not sure how you people live with this crap.. I get customers all the time whose prophylactic safety net has malfunctioned on them, leaving them without access to the web, or their email.. Yes, I guess not being able to surf and check your email is possibly the safest route for them anyway.. So now you got these dudes looking for problems that will make the next version of funware better, and more complicated, and prone to creating people who can't figure out how come they can't get to Facebook.. The wh

Good...

[CaptainDefragged]

...rot in hell McAfee.. after putting up with your crapware TPS at work all day.. f*ck you and f*ck your TPS garbage!

Hope they go bankrupt

[hesaigo999ca]

Sorry, with this last one I hope they go bankrupt....you should be held accountable for your actions, and when you say you are about security, and you do not do the work on your own website...i think it should bring their end. MHO