06:21 PM
Connect Directly

McAfee Patches Critical Bug In Consumer Security Software

The vulnerability could allow attackers to install Trojans, hijack PCs, and delete files, among other malicious activities. eEye Digital Security, which discovered the bug, has categorized it as a "High" threat.

McAfee on Tuesday updated a buggy component of its consumer security software to quash a vulnerability that could let attackers hijack PCs.

The flaw in SecurityCenter, a status panel and threat notifier included with McAfee consumer and small business security titles such as VirusScan, SpamKiller, and Internet Security Suite, was discovered by eEye Digital Security and reported to McAfee two weeks ago.

According to eEye's alert, which was posted Monday, the SecurityCenter vulnerability allows attackers to compromise the computer, which in turn can lead to installation of Trojans, deletions of files, or other malicious activities. eEye marked the bug as a "High" threat.

Simultaneously, McAfee issued its own security bulletin informing customers that it had revised SecurityCenter and as of Saturday pushed the new version 7.0 to its update servers. "Most users will automatically receive this update," said the McAfee alert.

McAfee, which judged the vulnerability as just a "medium" threat because an attack would require the user to visit a malicious Web site, said it will release patches for older versions of SecurityCenter on Wednesday. The patches will only be necessary if a user declines to update to 7.0.

This was the second eEye-discovered McAfee security flaw revealed in July. Mid-month, eEye posted an advisory about a serious bug in McAfee's enterprise-grade ePolicy Orchestrator management software.

Then, eEye's chief hacking officer, Marc Maiffret, took McAfee to task for silently patching the bug without telling customers. "Fixing an extremely critical vulnerability without the proper notification is a disservice to customers," Maiffret wrote in a July 13 bulletin.

Tuesday, Maiffret noted the earlier bug before commenting on the importance of tracking security vendors' vulnerabilities. "This becomes even more timely considering McAfee and Symantec's pending battle for the consumer desktop security space against Microsoft's OneCare," he said.

Coincidentally, on Tuesday McAfee launched new versions of its VirusScan Plus, PC Protection Plus, Internet Security Suite, and Total Protection packages, all of which include SiteAdvisor, the malicious Web site warning software. All also bundle SecurityCenter with a selection of security tools.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 20, 2014
CIOs need people who know the ins and outs of cloud software stacks and security, and, most of all, can break through cultural resistance.
Flash Poll
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.