The YGN Ethical Hacker Group claims that McAfee.com is at risk from Cross Site Scripting (XSS) and Information Disclosure vulnerabilities.
"McAfee is aware of these vulnerabilities and we are working to fix them," McAfee noted in a statement sent to InternetNews.com. "It is important to note that these vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities."
McAfee also is minimizing the actual risk that the security vulnerabilities pose. For the XSS vulnerability, McAfee noted that In a worst case scenario this vulnerability could allow attacks that spoof the McAfee brand.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=iOn the information disclosure issues, McAfee noted that there are two separate vulnerabilities. One of them could provide an attacker with details on an application used internally at McAfee.com to measure Web traffic. The second information disclosure vulnerability provides access to the source code for some of the interactive pages on the McAfee.com web site. In both cases, McAfee noted that the information disclosure issues do not disclose any customer information.
The YGN Ethical Hacker group claims that it notified McAfee of the vulnerabilities on February 10th, 2011. McAfee did not directly respond to a question from InternetNews.com about when they were notified.
The fact that the security vendor has had its own website publicly exposed as having vulnerabilities has also raised some concerns about McAfee's security services for other websites.
"McAfee has strict policies in place for its own Web sites and for services provided by third parties," McAfee noted in the statement. "We are investigating how these particular vulnerabilities were not identified in our screening process and will adjust our processes if necessary."
Another key issue is about how McAfee deals with XSS issues in general, which is not something that the McAfee Secure trust mark service identifies.
"Currently, the presence of an XSS vulnerability does not cause a Web site to fail McAfee Secure certification because such vulnerabilities presently aren't deemed a serious enough threat to take that action," McAfee stated. "McAfee continuously evaluates the threat landscape and may adjust this position as appropriate."