McAfee.com Full of Unfixed Security Vulnerabilities
Here is another for the "Security flaws can happen to anyone" files. Security researchers have found a number of Web site vulnerabilities on McAfee.com that can lead to cross-site scripting and other attacks.
The flaws were found by the YGN Ethical Hacker Group and posted on the Full Disclosure mailing list on March 28. YGN reported the bugs to McAfee on Feb. 10 before publicizing on to the security mailing list.
YGN found numerous information disclosure holes, such as being able to see an internal hostname from the Web site and 18 source code disclosures where actual code was visible. YGN also found cross-site scripting flaws on the area of McAfee.com hosting McAfee's files for downloading software, according to the Full Disclosure post.
This is a blow to McAfee's reputation, considering it offers enterprises a McAfee Secure service to scan customer Web sites daily for "thousands of hacker vulnerabilities."
McAfee Secure tests for vulnerabilities that could potentially reveal personal information, any malicious links, phishing attempts, and other embedded threats that may have been added onto the site.
Clearly, McAfee should have run the service on its own site.
McAfee told YGN it was resolving the issues on Feb. 12, but as of March 27, the flaws were "unfixed completely," YGN said in its post. As a result, YGN publicly disclosed the flaws and recommended the company "use outbound monitoring of traffic to detect potential information leakage." Ha.
YGN also reminded McAfee that it had acquired Foundstone, a Web security services company, in 2004, and suggested the company make better use of those experts.
McAfee has been subject to a number of XSS flaws since 2008, according to XSSed.com.