McAfee Patches Flaw In Security Software
Hackers could exploit the flaw to run code on a vulnerable PC with the privileges of the logged on user, said Steve Manzuik, research manager at eEye, Aliso Viejo, Calif. Researchers at eEye discovered the flaw and alerted McAfee on July 19.
The exploit could lead to the complete compromise of an affected PC, enabling attackers to hit the rest of a network with malware or launch denial of service attacks against other networks, Manzuik added.
McAfee rated the severity of threat as 'medium' on the grounds that the exploits requires reverse engineering of the software in addition to the assistance of the user.
However, eEye rated the severity of the flaw as 'high' due to the potential for remote code execution. Symantec's Deepsight Threat Management System rated it as 9 on a scale of 10, and Danish security research firm Secunia labeled it "highly critical."
The National Vulnerability Database, which assigned scores using the Common Vulnerability Scoring System (CVSS), had yet to issue a rating late Tuesday.
Santa Clara, Calif.-based McAfee has issued a SecurityCenter 7.0 update through its live update servers for the vulnerability, which affects SecurityCenter versions 4.3 through 6.0.22, according to an advisory. McAfee is working on a patch for older versions of SecurityCenter and expects to release it Wednesday.
This is the second McAfee vulnerability that eEye has discovered in the past month. Last month, eEye reported a vulnerability in the agent software of McAfee's ePolicy Orchestrator (ePO) -- used to manage McAfee enterprise security products -- that could have enabled hackers to gain unauthorized access to a system and perform a variety of malicious acts.
McAfee revealed it had inadvertently fixed the flaw in an update several months earlier, issued an apology to customers, and urged them to install updated software.