McAfee apologizes for not publicizing fix|
A leading computer security company, McAfee Inc., fixed a dangerous design flaw months ago in its flagship technology for managing protective software in large organizations but did not warn businesses and U.S. government agencies until Friday.
McAfee issued a rare apology and urged customers to install updated versions of its software immediately. McAfee's antivirus software is used by more than one-third of corporations in the United States and Europe. A spokeswoman, Siobhan MacDermott, said there were no reports of victims.
The design flaw affects a component in McAfee's "ePolicy Orchestrator," used for managing security software on tens of thousands of computers across large organizations. The Defense Department announced last month it has selected the technology from Santa Clara, Calif.-based McAfee to run its computer-intrusion-prevention systems worldwide.
McAfee six months ago inadvertently repaired the flaw after an engineer made other changes to its software, said its chief security architect, John Viega. The flaw in McAfee's "common management agent" lets attackers in some cases seize control of computers to steal sensitive data, delete files or implant malicious programs.
"We didn't really realize we fixed the problem," Viega said. "We fixed one, but it was by accident."
McAfee produced a software update in January based on the changes but described it only as offering new feature enhancements.
Many corporations and government agencies are reluctant to update software unless necessary because of fears that doing so might introduce new problems.
McAfee acknowledged the design problem Friday and urged all customers to take immediate steps to protect themselves. Days earlier, researchers from eEye Digital Security Inc. of Aliso Viejo, Calif., discovered the flaw and notified McAfee. eEye's own security software, Blink, competes against some of McAfee's products.
eEye demonstrated the attack for The Associated Press by remotely creating a file on a reporter's computer.
"McAfee apologizes for any unintended impact to customers as a result of this published vulnerability," McAfee said in e-mails to clients. "We know that our ability to protect customers quickly in the event of an outbreak depends largely on your confidence in our work."
Consumer versions of McAfee's security software, sold at retail outlets around the country, were not affected because — unlike corporate versions — they do not depend on McAfee's centralized management tool for updates to protect against the newest viruses and other threats.
"This is probably one of the most widely used corporate antivirus components," said Andrew Jaquith, the security research program manager at the Boston-based Yankee Group, an analyst firm. "It is a little ironic that products designed to protect you are actually making you vulnerable."
McAfee's chief executive, George Samenuk, complained earlier this week about vulnerabilities in software from Microsoft Corp., which competes increasingly against companies like McAfee and Symantec Corp.
"I'm not sure corporations and governments are going to trust Microsoft with their security when they have these new vulnerabilities announced every month," Samenuk told the IDG News Service, which publishes trade magazines.
Jaquith said security companies increasingly study competitors' products for design flaws. He predicted McAfee will not lose customers over the flaw. "You're not going to see a stampede for the door," Jaquith said.
eEye discovered an unrelated but equally serious flaw in May in versions of leading antivirus software from Symantec, which fixed the problem just days later.
McAfee security programs may expose data|
Consumer versions of McAfee Inc.'s leading software for securing PCs is susceptible to a flaw that can expose passwords and other sensitive information stored on personal computers, researchers said Monday.
Niche competitors crowd into MySpace
Is MySpace losing its cool? Margaret Marks, 17, thinks so.
Apple Recalls MacBook Pro Batteries
Apple Computer Inc. has issued a recall for batteries included with MacBook Pro notebooks sold from February through May 2006.
Oracle 'Losing Patience' with XenSource, VMware
Oracle is fast losing its patience with both XenSource and VMware over their reluctance to work together to help develop a single interface that will integrate a variety of virtualization solutions in the Linux kernel.
Linux Leader Takes Aim At Free Software Movement
Linus Torvalds, who helped create the open source operating system Linux, is blasting the Free Software Foundation (FSF) again as the group releases its latest draft of a revised General Public License (GPL).
Host Color Comes With Lower Prices and 90 Day Money Back Guarantee
Host Color, a global shared web hosting provider announced today that it has taken down the price of its premier Multi Domain web hosting plan from $14.99 per month to $9.99 per month. The discount is available with 24 month contracts. The Multi Domain plan allows company's customers to host 10 different web sites in one hosting account. Host Color has also cut off the price of the same hosting plan for 12 month contracts.
Novell Drops Proprietary Software From Linux Distributions
Novell Inc. on Tuesday said it has stopped shipping proprietary software with its Linux server and desktop products, in order to provide companies with a distribution free of any potential legal hassles.
McAfee Patches Critical Bug In Consumer Security Software
McAfee on Tuesday updated a buggy component of its consumer security software to quash a vulnerability that could let attackers hijack PCs.
Adobe backs 3rd-qtr financial outlook
Design software maker Adobe Systems Inc. said on Tuesday third-quarter sales and profit would be within the target ranges it provided on June 15, sending shares up 5 percent.
Google, Real, Mozilla in pact
Google Inc. has extended a multi-year deal with RealNetworks Inc. to promote Google software across Real's entertainment and multimedia products, the companies said on Wednesday.