Security vulnerabilities on McAfee sites, including one designed to scan customers' sites for flaws, exposed certain customer accounts and could have been used for phishing attacks in which malware disguised as McAfee software could be distributed, security experts say.
McAfee said late on Tuesday that most of the vulnerabilities were fixed, except for one part of the website that was taken offline to be fixed.
The McAfee sites were found to be vulnerable to cross-site scripting attacks and cross-site request forgery attacks that could lead to phishing attacks on customers who think they are visiting the security vendor's site, according to an article on ReadWriteWeb.
One of the vulnerable sites was McAfee Secure, which scans customer sites to determine if they are vulnerable to such attacks. The problem would signal either that McAfee does not run McAfee Secure across all its own sites or that the product does not work well, the report said.
To fall victim to a cross-site request forgery attack on that site, targets would have to be logged into their McAfee accounts and browse to a malicious website that exploits the vulnerability, according to the Risky.biz site.
Such attacks on sites of antivirus vendors are particularly dangerous because they enable attackers to create fake versions of security products that install Trojans or other malware and customers will trust it, Lance James, co-founder of Secure Science Corporation, told ReadWriteWeb.
The hole on the McAfee Secure site would indicate that the company failed to comply with PCI requirements for Approved Scanning Vendors, did not use a secure software-development lifecycle in building the application, and neglected to do an in-depth penetration test of the site, security researcher Mike Bailey wrote on his Skeptikal.org blog on Monday.
Read this
Why scammers find rich pickings on Facebook
People shed their normal caution on social-networking sites, leaving the scammers and worm-writers to rub their hands with glee...
McAfee spokesman Joris Evers said the site taken offline was the McAfee Knowledge Center, which is part of its customer support site that uses software from a third-party provider. The site had a cross-site scripting vulnerability, he said.
"These types of vulnerabilities are rarely exploited in the wild and thus aren't deemed to be severe," he said in an email. None of the vulnerabilities exposed any McAfee corporate information and the company had not seen any malicious exploitation of the vulnerabilities, he added.
"McAfee has strict policies in place for its own websites and for services provided by third parties," Evers said. "We are investigating how these particular vulnerabilities were not identified in our screening process and will adjust our processes if necessary."
McAfee is not the only security company to have security problems on its site. Last month, The Register reported on a cross-site scripting vulnerability on Symantec's site. And in February, a Romanian hacker site claimed to have used cross-site scripting and SQL injection attacks to breach the sites of F-Secure, Kaspersky and BitDefender .
