McAfee Quietly Fixes Software Flaw
A leading computer security company quietly fixed a dangerous design flaw months ago, but did not warn businesses and U.S. government agencies until Friday.
A leading computer security company, McAfee Inc., quietly fixed a dangerous
design flaw months ago in its flagship technology for managing protective software
in large organizations but did not warn businesses and U.S. government agencies
McAfee issued a rare apology and urged customers immediately to install updated
versions of its software. McAfee's antivirus software is used by more than one-third
of corporations in the United States and Europe. A spokeswoman, Siobhan MacDermott,
said there were no reports of victims.
The design flaw affects McAfee's "ePolicy Orchestrator," used for
managing security software on tens of thousands of computers across large organizations.
The Defense Department announced last month it has selected the technology from
Santa Clara, Calif.-based McAfee to run its computer-intrusion-prevention systems
McAfee said its own engineers first discovered the flaw, which lets attackers
seize control of computers to steal sensitive data, delete files or implant
malicious programs. McAfee produced a software update in February but described
it only as offering new feature enhancements.
Many corporations and government agencies are reluctant to update software
unless necessary because of fears that doing so might introduce new problems.
Reversing course, McAfee acknowledged the design problem Friday and urged all
customers to take immediate steps to protect themselves. Days earlier, researchers
from eEye Digital Security Inc. of Aliso Viejo, Calif., discovered the flaw
independently and notified McAfee. eEye's own security software, Blink, competes
against some of McAfee's products.
eEye demonstrated the attack for The Associated Press by remotely creating
a file on a reporter's computer.
"McAfee apologizes for any unintended impact to customers as a result
of this published vulnerability," McAfee said in e-mails to clients. "We
know that our ability to protect customers quickly in the event of an outbreak
depends largely on your confidence in our work."
Consumer versions of McAfee's security software, sold at retail outlets around
the country, were not affected because -- unlike corporate versions -- they do
not depend on McAfee's centralized management tool for updates to protect against
the newest viruses and other threats.
"This is probably one of the most widely used corporate antivirus components,"
said Andrew Jaquith, the security research program manager at the Boston-based
Yankee Group, an analyst firm. "It is a little ironic that products designed
to protect you are actually making you vulnerable."
McAfee's chief executive, George Samenuk, complained earlier this week about
vulnerabilities in software from Microsoft Corp., which competes increasingly
against companies like McAfee and Symantec Corp.
"I'm not sure corporations and governments are going to trust Microsoft
with their security when they have these new vulnerabilities announced every
month," Samenuk told the IDG News Service, which publishes trade magazines.
Jaquith said security companies increasingly study competitors' products for
design flaws. He predicted McAfee will not lose customers over the flaw. "You're
not going to see a stampede for the door," Jaquith said.
eEye discovered an unrelated but equally serious flaw in May in versions of
leading antivirus software from Symantec, which fixed the problem just days