back to article McAfee online scan used plain old HTTP to fetch screen elements

McAfee has moved to patch a bug that falls under the “didn’t you get the memo?” category: among other things, its free Security Scan Plus online tool retrieved information over HTTP – that is, in plain text. The potential man-in-the-middle vector exists not in the operation of the free online scan, but in the house ads and UI …

Silver badge

!DOH!

*FacePalm*

4
0
Silver badge

Fool proof

The only reason that the average Joe is proof against rejecting McAfee is that the average Joe can't grasp just how mindbogglingly stupid this exploit is.

You know the piping that brings the stove gas into your house? We put a switch at the curb so that your neighbor's kid could pick natural gas, hydrogen sulfide, or hydrogen cyanide. The first is so you can have tea, the second two so you won't have bugs. Convenient, eh?

10
0
Bronze badge
Facepalm

Job application: proof reader

"The image below outlines in red the screen element SecuriTeam’s informant attacked"

The only images below are links to other articles (or adverts)

(I can see the intended image on the securiteam article: https://blogs.securiteam.com/index.php/archives/3350 )

4
0
Silver badge

#seriously

0
1
FAIL

Is this model trusting 3rd parties not to be evil ??

Wow, but I'm not convinced this article has more than scratched the surface of the real security issue, likewise "fixing" it using HTTPS only fixes the 4th party exploit described.

It's not difficult to understand why a security scanner needs admin access to a system. This context presumably prevents normal sandboxing, as you would get for 3rd party scripts linked through a webpage - though I block such scripts generally. But even if the 3rd party content were provided using HTTPS is it really considered sane for such content to have the same admin access to the PC as the scanner it funds ? It sounds to me like the 3rd parties are probably not just getting access to _show_ you their content. An investigation into whether they are in fact or are capable of _accessing_ likely to be more valuable content on the machine being scanned seems called for.

Personal data seems likely to be more valuable than the right to display content during a scan or web page view, and it's why I'm refusing so many mobile apps inappropriate rights to access this on my mobile platforms which they don't need in order to deliver the functionality offered.

2
0
Silver badge
WTF?

window.external.LaunchApplication("c:\\windows\\system32\\calc.exe", "");

So... Some JavaScript sent to "a browser" (the lingering ghost of IE?) has the capability of running an external application? Who the bloody effing hell thought that was a good idea?

3
1
Silver badge
Megaphone

Shock!

Adverts served may contain malware!

0
0
Bronze badge
Alien

Re: Shock!

Antivirus programs may serve malware!

Fixed.

0
0

now i know.... why ATT, my current ISP gave this suite away to all its users

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017