The flaw, if successfully exploited, would allow a remote attacker to anonymously compromise an affected system and execute code within the system context.
According to the security specialists eEye Digital, the flaw affected McAfee’s ePolicy Orchestrator for monitoring and administrating McAfee’s enterprise software products. The vulnerability was discovered by McAfee and Digital Security individually of each other, but McAfee has fixed the vulnerability with a product update issued to improve performance rather than fix bugs.
Although McAfee’s update was released in January, as soon it became aware of the vulnerability, it sent email to its corporate customers urging them to upgrade.
eEye Digital’s Chief Hacking Officer Marc Mainffret criticized McAfee over the way it has handled the situation. He was concerned about the fact that many enterprises operate on an “if it ain’t broke, don’t fix it” basis, and regular updates to their software products might not draw their attention as much as security updates.
“It is good for any software company to be proactive in trying to secure their software. However, it is equally important for software vendors to create a separation of security and features when providing updates. In this case, fixing an extremely critical vulnerability without the proper notification is a disservice to customers. The mindset of most customers, especially when dealing with agent software, is to use what works.”