[Infowarrior] - McAfee Gets Worked. Hard.

Tue May 5 12:37:44 UTC 2009

McAfee Gets Worked. Hard.
Patrick Gray's picture
Embarrassing vulnerabilities in McAfee websites poised to make  
headlines...
By Patrick Gray

http://risky.biz/news_and_opinion/patrick-gray/2009-05-05/mcafee-gets-worked-hard

May 5, 2009 --

Security software maker McAfee is an industry laughing stock following  
the disclosure of embarrassing security vulnerabilities in its websites.

A Cross Site Request Forgery (CSRF) vulnerability uncovered in  
McAfee's "secure" vulnerability scanning portal would have allowed  
attacker to take control of client accounts. The portal is designed to  
scan customer websites for security vulnerabilities and fulfil some  
PCI DSS compliance requirements.

To fall victim to the attack the target would have to be logged in to  
their McAfee account and browse to a malicious website that exploited  
the CSRF bug.

Commenting on his CSRF discovery, security researcher Mike Bailey  
didn't pull punches. "Until last week, McAfee Secure was vulnerable to  
critical CSRF holes," he wrote on his blog. "Not little ones, or ones  
that were difficult to exploit. [These are] basic, zero-knowledge,  
classic GET-based total-account-compromise holes."

McAfee did not comply with PCI requirements for Approved Scanning  
Vendors as defined by the PCI Security Standards Council, Bailey  
claims, and believes the company failed to use a secure software  
development lifecycle when building the application.

Furthermore, a penetration test should have caught the problem, he  
wrote, thus he concludes "no such audit has taken place".

Another, seemingly unrelated Cross Site Scripting (CSS) bug in a  
McAfee website allows miscreants to create pages that appear to be  
hosted on McAfee domains, when in fact the content is being served  
from elsewhere. Worse, no SSL errors would be generated in this  
attack, so even a vigilant user would be fooled.

SecureScience.net has demonstrated the attack by creating a "buy now"  
page for McAfee products, which, if a user clicked through to that  
page, would steal their credit card number and deliver a trojaned  
version of McAfee's product. (Click here for the dummied up CSS'd  
page. It won't bite.)

It's feared spammers could exploit the bug to offer seemingly  
legitimate "special deal offers" on McAfee products, using the CSS bug  
to create a genuine-looking purchase page with a valid SSL cert.  
McAfee, presumably, is scrambling to fix this second issue.

Ironically, marketing material for McAfee's secure scanning portal  
claims the service detects CSS vulnerabilities.

Sydney-based security consultant Chris Gatford, who works for Pure  
Hacking, believes the disclosures highlight an all too common  
hypocrisy among security providers. "It's a sad fact that many  
security service providers do not practice what they preach," he says.

Others thought the revelations were nothing short of hilarious. One  
local PCI Qualified Security Assessor (QSA), who did not want to be  
named, described the news as hysterical. "If there was a vote for lolz  
of the year I would be voting for McAfee Secure," he says. "That's  
just stunning."

McAfee isn't the only security vendor to wear egg on its face this  
year. The website of antivirus software maker Kaspersky was defaced in  
February. The website of BitDefender, another AV vendor, was also  
defaced.

Risky.biz sought comment from McAfee, but due to time-zone differences  
it was unable to offer any response in time for deadline.