[ISN] McAfee website visited by plague of security locusts

From: InfoSec News <alerts_at_private>
Date: Wed, 6 May 2009 01:04:33 -0500 (CDT)
http://www.theregister.co.uk/2009/05/05/mcafee_site_bugs/

By Dan Goodin in San Francisco
The Register
5th May 2009 

McAfee's website has been has been hit by at least three nasty bugs that 
left its customers susceptible to phishing and other types of scams. At 
least one remained unfixed at time of writing, more than 24 hours after 
it was first disclosed.

The most serious vulnerability, ironically enough, affected McAfee 
Secure, a service that certifies the security of sites that conduct 
ecommerce and other sensitive transactions. Mike Bailey of the 
Skeptikal.org blog found the site suffered from a CSRF, or cross-site 
request forgery, that could have allowed attackers to take control of 
customer accounts.

McAfee has already fixed the bug, but during the five weeks that Bailey 
monitored it, the site continued to bear the McAfee Security logo, 
raising questions about just how valuable such a mark is. McAfee Secure, 
after all, is designed to pinpoint precisely these types of 
vulnerabilities.

It also shines a bright light on the processes McAfee takes to ensure 
its websites are free of such hazards. According to Bailey, the 
vulnerable application was not designed with the benefit of an SDL, or 
secure development lifecycle, which builds products from scratch to make 
sure they follow security best practices. He also said that prior to the 
bug being reported, McAfee "had never performed a full code review for 
web vulnerabilities."

[...]


--
LayerOne 2009, Information Security for the discerning professional. 
May 23-24 2009 @ The Anaheim Marriott in Anaheim, California 
Visit http://layerone.info for more information
Received on Tue May 05 2009 - 23:04:33 PDT

This archive was generated by hypermail 2.2.0 : Tue May 05 2009 - 23:20:47 PDT