Recent vulnerabilities McAfee explains on its website, McAfee has been sent to the editor of Diario Ti a public statement explaining the nature of the vulnerabilities suffered by their site and mentioned in this article. For your interest, we reproduce in full the note.
“On Monday March 28 news agencies released vulnerabilities in McAfee websites. In this regard, the security company says that is aware of these vulnerabilities and is working to solve them.
Importantly, these vulnerabilities do not expose any of McAfee’s customers, partners or corporate and otherwise have not seen any malicious activity.
Incidentally, McAfee says he knew of the vulnerabilities to and from causes that are investigated, the settlement process has taken longer than they would have liked. Processes will be modified as necessary to prevent this from happening again.
Whenever a vulnerability is reported that the organization strives to address as soon as possible. Unfortunately the process has taken longer than I would have liked in this case, which is investigating the cause of the delay and modify our processes as necessary to prevent this from happening again.
These vulnerabilities website have been publicly disclosed on Full Disclosure, a mailing list of high-traffic safety. Then rinse three vulnerabilities:
- Cross Site Scripting download.mcafee.com: Worst case scenario, the vulnerability could allow spoofing attacks McAfee brand by submitting a URL appears to be directed to a Web site of McAfee, but actually directed elsewhere.
- Dissemination of information must register to view this link. This problem gives some details of applications for internal use to measure Web traffic, but does not disclose any confidential information or customer information.
- Dissemination of information on download.mcafee.com: This problem provides access to the source of some of the interactive pages on our site, but also it reveals confidential information or any customer information. (This problem was solved at around 8 pm Pacific time on Monday, March 28.)
The presence of an XSS vulnerability is not cause for not certifying a McAfee Secure Web site, because these vulnerabilities are not considered a threat serious enough to take that action. McAfee continuously evaluates the threat landscape and can adjust this position, as appropriate.
Finally, McAfee says that exploiting a XSS vulnerability typically requires the creation of a malicious URL to exploit elements of insecurity original website and the use of social engineering, phishing or a persistent link to compromise unsuspecting users. In contrast, SQL injection or buffer overflow vulnerabilities are much more harmful, because an attacker does not have to rely on social engineering to cause harm. “