McAfee fixes flaw–without realizing it

by admin July 16, 2006 at 3:13 am

McAfee, without realizing it, has fixed a serious flaw in its popular product for managing security software, the security vendor said Friday.

The flaw affects McAfee’s ePolicy Orchestrator (ePO) Common Management Agent prior to the current 3.5.5 version, technology used to manage security software installed on about 40 million PCs in large organizations, McAfee said. A successful attack that exploits the flaw could result in the full compromise of a targeted computer, the company said.

“It is certainly one of the most serious issues that we have come across,” John Viega, vice president and chief security architect at Santa Clara, Calif.-based McAfee said in an interview.

McAfee was notified of the flaw by eEye Digital Security on July 5, but at the time had already fixed the flaw in an update to its software that was released in January, Viega said. That update, the current 3.5.5 version, was meant to fine-tune the system, not fix security flaws, he said.

“We did not realize that we had fixed a security vulnerability until eEye alerted us to the problem last week,” Viega said. “We were optimizing the system, not looking for security vulnerabilities.” The optimization included changing from storing data in files to storing it in memory, which removed the flaw, he said.

Full story: ZDNet News