Zero Day

McAfee isn't "McAfee Secure" or "Hacker Safe"

Posted in:

Exploit code
McAfee
Vulnerability research
Zero-day attacks

In my most recent discussion on McAfee, I posted a talkback to Russ McRee stating, tongue in cheek mind you, that it'd be interesting to see an XSS or SQL Injection on McAfee's site, see if they are indeed "McAfee Secure". Well, I guess you get what you ask for... Russ McRee on his Hollistic InfoSec Blog posted the following:

"A challenge was put forth on Zero Day, and it has been answered. Apparently, McAfee doesn't care about XSS on their own sites either. I'll let the video speak for itself. For the love of all things good and proper, McAfee, please address this issue...for yourselves and the consumers who look to you to do the right thing. Sincerely, Russ McRee"

Yess, that is what you think it is, it's video of an XSS exposure on one of McAfee's sites. I'm not sure what to think about this... clearly, from some of McAfee's previous comments, we can reasonably assume that they don't truly understand how big of an issue XSS is; further, I find it a bit disturbing that they aren't running McAfee Secure on their own sites if it is in fact a product that they are confident in selling off to customers. So I think we have one of two possibilities here: 1.) McAfee is not using their own security tool on their own sites... hmm, that really spells brand confidence, doesn't it? 2.) McAfee is using the tool, but the tool doesn't do an adequate job of reporting security issues. Now, I'm not one to say that I'm free of XSS... I'm fairly positive that ZDNet has XSS issues, but that's not the point. The point is, I don't try to sell a tool that is the magic silver bullet for protecting web applications, nor do I certify any of those applications by saying they are "Hacker Safe" or "Nate McFeters Secure". I think it is time that McAfee change its stance about XSS... it is a major issue and it deserves attention, certainly from a tool that certifies an application as being "Hacker Safe". I think it's also time they change their stance about their certification tool altogether... a simple scan will never be able to catch all the issues a web application faces. -Nate

posted by Nathan McFeters
May 13, 2008 @ 10:20 am

Previous Post: A U.S military botnet in the works
Next Post: Microsoft plugs Office leaks; Delivers 4 critical patches

Last 10 posts:

Opera patches 'extremely severe' security hole (11-23)
Exploit published for critical IE 7 zero-day flaw (11-23)
Inside the Google Chrome OS security model (11-19)
Microsoft finds security hole in Google Chrome Frame (11-19)
Mozilla locks out rogue Firefox add-ons (11-18)
Thousands of web sites compromised, redirect to scareware (11-17)
Microsoft confirms 'detailed' Windows 7 exploit (11-16)
Man-in-the-middle attacks demoed on 4 smartphones (11-13)
Microsoft bracing for malware attacks from embedded fonts (11-12)
Apple Safari exposes Windows to drive-by download attacks (11-11)