Researchers point out holes in McAfee's Web site

[InfoSec News <alerts () infosecnews org>]

http://news.cnet.com/8301-27080_3-20048135-245.html

By Elinor Mills
InSecurity Complex
CNet News
March 28, 2011 

Researchers disclosed on a public security e-mail list today three 
vulnerabilities in the Web site of security firm McAfee, whose site has 
been found to have bugs several times before.

The YGN Ethical Hacker Group told the Full Disclosure list that it had 
reported the problems to McAfee on February 10 and two days later the 
company said it was working to resolve them. The group disclosed them 
publicly after noticing that they remained open this weekend--a month 
and a half later.

McAfee says it is aware of the vulnerabilities and is working to fix 
them. "It is important to note that these vulnerabilities do not expose 
any of McAfee's customer, partner or corporate information," the company 
said in a statement. "Additionally, we have not seen any malicious 
exploitation of the vulnerabilities."

McAfee characterized the vulnerabilities as:

* Cross Site Scripting in download.mcafee.com. "In a worst case scenario 
  this vulnerability could allow attacks that spoof the McAfee brand by 
  presenting a URL that looks like it directs to a McAfee Web site but 
  in fact directs elsewhere."

* Information disclosure on www.mcafee.com. "This issue gives some 
  detail on an internally used application to measure Web traffic, but 
  doesn't disclose any proprietary information or any customer 
  information."

[...]


___________________________________________________________      
Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery 
Network, Cisco Switches, SAS 70 Type II Datacenter. 
Find peace of mind, Defend your Critical Infrastructure.
http://www.tegataiphoenix.com/