News

McAfee Quietly Fixes Software Flaw

A leading computer security company quietly fixed a dangerous design flaw months ago, but did not warn businesses and U.S. government agencies until Friday.

• By The Associated Press
• 07/14/2006

McAfee issued a rare apology and urged customers immediately to install updated versions of its software. McAfee's antivirus software is used by more than one-third of corporations in the United States and Europe. A spokeswoman, Siobhan MacDermott, said there were no reports of victims.

The design flaw affects McAfee's "ePolicy Orchestrator," used for managing security software on tens of thousands of computers across large organizations. The Defense Department announced last month it has selected the technology from Santa Clara, Calif.-based McAfee to run its computer-intrusion-prevention systems worldwide.

McAfee said its own engineers first discovered the flaw, which lets attackers seize control of computers to steal sensitive data, delete files or implant malicious programs. McAfee produced a software update in February but described it only as offering new feature enhancements.

Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems.

Reversing course, McAfee acknowledged the design problem Friday and urged all customers to take immediate steps to protect themselves. Days earlier, researchers from eEye Digital Security Inc. of Aliso Viejo, Calif., discovered the flaw independently and notified McAfee. eEye's own security software, Blink, competes against some of McAfee's products.

eEye demonstrated the attack for The Associated Press by remotely creating a file on a reporter's computer.

"McAfee apologizes for any unintended impact to customers as a result of this published vulnerability," McAfee said in e-mails to clients. "We know that our ability to protect customers quickly in the event of an outbreak depends largely on your confidence in our work."

Consumer versions of McAfee's security software, sold at retail outlets around the country, were not affected because -- unlike corporate versions -- they do not depend on McAfee's centralized management tool for updates to protect against the newest viruses and other threats.

"This is probably one of the most widely used corporate antivirus components," said Andrew Jaquith, the security research program manager at the Boston-based Yankee Group, an analyst firm. "It is a little ironic that products designed to protect you are actually making you vulnerable."

McAfee's chief executive, George Samenuk, complained earlier this week about vulnerabilities in software from Microsoft Corp., which competes increasingly against companies like McAfee and Symantec Corp.

"I'm not sure corporations and governments are going to trust Microsoft with their security when they have these new vulnerabilities announced every month," Samenuk told the IDG News Service, which publishes trade magazines.

Jaquith said security companies increasingly study competitors' products for design flaws. He predicted McAfee will not lose customers over the flaw. "You're not going to see a stampede for the door," Jaquith said.

eEye discovered an unrelated but equally serious flaw in May in versions of leading antivirus software from Symantec, which fixed the problem just days later.