Security News > 2011 > March > Researchers point out holes in McAfee's Web site
http://news.cnet.com/8301-27080_3-20048135-245.html By Elinor Mills InSecurity Complex CNet News March 28, 2011 Researchers disclosed on a public security e-mail list today three vulnerabilities in the Web site of security firm McAfee, whose site has been found to have bugs several times before. The YGN Ethical Hacker Group told the Full Disclosure list that it had reported the problems to McAfee on February 10 and two days later the company said it was working to resolve them. The group disclosed them publicly after noticing that they remained open this weekend--a month and a half later. McAfee says it is aware of the vulnerabilities and is working to fix them. "It is important to note that these vulnerabilities do not expose any of McAfee's customer, partner or corporate information," the company said in a statement. "Additionally, we have not seen any malicious exploitation of the vulnerabilities." McAfee characterized the vulnerabilities as: * Cross Site Scripting in download.mcafee.com. "In a worst case scenario this vulnerability could allow attacks that spoof the McAfee brand by presenting a URL that looks like it directs to a McAfee Web site but in fact directs elsewhere." * Information disclosure on www.mcafee.com. "This issue gives some detail on an internally used application to measure Web traffic, but doesn't disclose any proprietary information or any customer information." [...] ___________________________________________________________ Tegatai Managed Colocation: Four Provider Blended Tier-1 Bandwidth, Fortinet Universal Threat Management, Natural Disaster Avoidance, Always-On Power Delivery Network, Cisco Switches, SAS 70 Type II Datacenter. Find peace of mind, Defend your Critical Infrastructure. http://www.tegataiphoenix.com/