May 13th, 2008
McAfee isn't "McAfee Secure" or "Hacker Safe"
In my most recent discussion on McAfee, I posted a talkback to Russ McRee stating, tongue in cheek mind you, that it’d be interesting to see an XSS or SQL Injection on McAfee’s site, see if they are indeed “McAfee Secure”. Well, I guess you get what you ask for…
Russ McRee on his Hollistic InfoSec Blog posted the following:
“A challenge was put forth on Zero Day, and it has been answered. Apparently, McAfee doesn’t care about XSS on their own sites either. I’ll let the video speak for itself.
For the love of all things good and proper, McAfee, please address this issue…for yourselves and the consumers who look to you to do the right thing.
Sincerely,
Russ McRee”
Yess, that is what you think it is, it’s video of an XSS exposure on one of McAfee’s sites. I’m not sure what to think about this… clearly, from some of McAfee’s previous comments, we can reasonably assume that they don’t truly understand how big of an issue XSS is; further, I find it a bit disturbing that they aren’t running McAfee Secure on their own sites if it is in fact a product that they are confident in selling off to customers. So I think we have one of two possibilities here:
1.) McAfee is not using their own security tool on their own sites… hmm, that really spells brand confidence, doesn’t it?
2.) McAfee is using the tool, but the tool doesn’t do an adequate job of reporting security issues.
Now, I’m not one to say that I’m free of XSS… I’m fairly positive that ZDNet has XSS issues, but that’s not the point. The point is, I don’t try to sell a tool that is the magic silver bullet for protecting web applications, nor do I certify any of those applications by saying they are “Hacker Safe” or “Nate McFeters Secure”.
I think it is time that McAfee change its stance about XSS… it is a major issue and it deserves attention, certainly from a tool that certifies an application as being “Hacker Safe”. I think it’s also time they change their stance about their certification tool altogether… a simple scan will never be able to catch all the issues a web application faces.
-Nate
Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.
