Is McAfee.com at Risk?
Researcher alleges security vendor McAfee has an insecure website, McAfee responds.
The YGN Ethical Hacker Group claims that McAfee.com is at risk from Cross Site Scripting (XSS) and Information Disclosure vulnerabilities.
"McAfee is aware of these vulnerabilities and we are working to fix them," McAfee noted in a statement sent to InternetNews.com. "It is important to note that these vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities."
McAfee also is minimizing the actual risk that the security vulnerabilities pose. For the XSS vulnerability, McAfee noted that In a worst case scenario this vulnerability could allow attacks that spoof the McAfee brand.
The YGN Ethical Hacker group claims that it notified McAfee of the vulnerabilities on February 10th, 2011. McAfee did not directly respond to a question from InternetNews.com about when they were notified.
The fact that the security vendor has had its own website publicly exposed as having vulnerabilities has also raised some concerns about McAfee's security services for other websites.
"McAfee has strict policies in place for its own Web sites and for services provided by third parties," McAfee noted in the statement. "We are investigating how these particular vulnerabilities were not identified in our screening process and will adjust our processes if necessary."
Another key issue is about how McAfee deals with XSS issues in general, which is not something that the McAfee Secure trust mark service identifies.
"Currently, the presence of an XSS vulnerability does not cause a Web site to fail McAfee Secure certification because such vulnerabilities presently aren't deemed a serious enough threat to take that action," McAfee stated. "McAfee continuously evaluates the threat landscape and may adjust this position as appropriate."