Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

McAfee's Website Full of Security Holes

Soulskill posted more than 3 years ago | from the par-for-the-course dept.

Security 114

Julie188 writes "The McAfee.com website is full of security mistakes that could lead to cross-site scripting and other attacks, researchers said in a post on the Full Disclosure site on Monday. The holes with the site were found by the YGN Ethical Hacker Group, and reported to McAfee on Feb. 10, YGN says, before they were publicly disclosed to the security/hacking mailing list. Embarrassing? Yes, especially given that the company aggressively markets its own McAfee Secure service that is supposed to assure consumers that McAfee has scanned a website and found it to be safe."

cancel ×

114 comments

Sorry! There are no comments related to the filter you selected.

Your own dog food... (4, Insightful)

Locke2005 (849178) | more than 3 years ago | (#35644282)

Eat it!

Re:Your own dog food... (2)

WrongSizeGlass (838941) | more than 3 years ago | (#35644394)

So McAfee's website is as secure as MySQL.com? [slashdot.org] This intertubes thing just keeps getting better and better.

Re:Your own dog food... (2)

PsyciatricHelp (951182) | more than 3 years ago | (#35645092)

Which would be as secure as RSA.

Mod parent up! (3, Interesting)

khasim (1285) | more than 3 years ago | (#35644436)

McAfee markets products to scan websites. At least use them on your own site!

If the scans didn't turn up the vulnerabilities ... well it looks like you have a problem with your products.

Re:Mod parent up! (2)

BagOBones (574735) | more than 3 years ago | (#35644674)

I created a post on this already (probably while you were posting this) they DO scan the site, and it is McAfee SECURE CERTIFIED. Shows what it is worth.

Re:Mod parent up! (4, Insightful)

jackdub (1938908) | more than 3 years ago | (#35644708)

Quis custodiet ipsos custodes?

Re:Mod parent up! (2)

kyuubiunl (1747574) | more than 3 years ago | (#35645876)

McAfee secures on the " si fecisti nega! " Principle.

Re:Mod parent up! (3, Funny)

Locke2005 (849178) | more than 3 years ago | (#35646384)

Apparently so does Bart Simson: “I didn't do it, nobody saw me do it, there's no way you can prove anything!”

Re:Mod parent up! (1)

Locke2005 (849178) | more than 3 years ago | (#35646390)

Can't you just say "Who watches the watchers?" like a normal person?

Re:Mod parent up! (1)

kyuubiunl (1747574) | more than 3 years ago | (#35646536)

Maybe it was an homage to Terry Pratchett? (Night Watch, Commander Vimes)

Re:Mod parent up! (1)

Anonymous Coward | more than 3 years ago | (#35646652)

What good is all those expensive classes learning a dead language when you can't use said language to look like an arrogant dick on the internet?

Re:Mod parent up! (1)

mwvdlee (775178) | more than 3 years ago | (#35649740)

Latine scribere quivis Google translate...
http://translate.google.nl/#en [google.nl] |la|who%20watches%20the%20watchmen

Re:Mod parent up! (1)

grcumb (781340) | more than 3 years ago | (#35649234)

Can't you just say "Who watches the watchers?" like a normal person?

Quid?

Re:Mod parent up! (1)

Bacon Bits (926911) | more than 3 years ago | (#35649464)

No, this is SlashDot.

Re:Mod parent up! (5, Interesting)

Anonymous Coward | more than 3 years ago | (#35645426)

Posting AC for obvious reasons...

At my former employer, I was in charge of managing the McAfee Secure scans (but not remediation) for all of our external sites. The maddening thing for me was that we got a ridiculously large amount of time to remediate any vulnerabilities before the Certified logo would show any issues (30 days comes to mind). Additionally, the scans only took place once per month. You could have a vulnerability out there for up to 60 days without ever getting addressed and everything shows up as fine and dandy, McAfee Secure Certified (tm). IMHO this is unacceptable and gives a false sense of security to the end-user. It also makes it damn hard to motivate the people in charge of patching and shoring up their piss-poor system admin practices to actually get off their damn asses and do something about it. A typical conversation after discovering a vulnerability went something like this:

Me: McAfee Secure found these problems. *Sends scan report*
Joe Sixpack SysAdmin: Meh, I've got a whole month before I need to remediate these issues, so it's not really a vulnerability yet. I'll wait until day 29 and a half to look at it, then freak out and point the finger back at you when I can't get it fixed in under 10 minutes.
Me: *facepalm*

Needless to say, when I see a McAfee Secure Certified logo on any site, I basically ignore it at best or altogether avoid the site at worst. It's a joke. Only less funny.

On the positive side, the scan reports are very pretty. A hell of a lot better than McAfee Vulnerability Manager's sh*t reports.

Re:Mod parent up! (2)

aix tom (902140) | more than 3 years ago | (#35645350)

I guess they are kinda like consultants in that regard. They can find problems pretty quick, but they have no idea how to fix them. ;-P

Re:Your own dog food... (1)

Mr.FreakyBig (3755) | more than 3 years ago | (#35644564)

Where I work, its called Flying Our Own Jets (FOOJ). No, we don't make airplanes.

Re:Your own dog food... (0)

Anonymous Coward | more than 3 years ago | (#35645016)

Where i work its called sucking on our own cocks.

Re:Your own dog food... (1)

Belial6 (794905) | more than 3 years ago | (#35647220)

Do they offer training on that? They just might get people to pay them for the opportunity. Of course, one the training is over, they will never leave their home, so the you'll need to train a whole new batch.

Re:Your own dog food... (1)

johnsnails (1715452) | more than 3 years ago | (#35645440)

I thought it was called... eating your own dog food?

Re:Your own dog food... (1)

mwvdlee (775178) | more than 3 years ago | (#35649746)

I wonder what they call it in the porn industry.

Re:Your own dog food... (1)

0racle (667029) | more than 3 years ago | (#35644568)

They might.

Re:Your own dog food... (1)

InsertCleverUsername (950130) | more than 3 years ago | (#35644690)

But they make really awful dog food. I can see why they'd avoid it.

Re:Your own dog food... (1)

grcumb (781340) | more than 3 years ago | (#35649198)

Eat it!

This is McAfee we're talking about. You're looking at the wrong end of the dog.

Nice (2)

mrbcs (737902) | more than 3 years ago | (#35644322)

Yup, there's some excellent credibility for you. Now can we get Norton to fall on their swords too?

McAfee and Norton. Are these not the two worst software companies?

Re:Nice (1)

Anonymous Coward | more than 3 years ago | (#35644352)

McAfee and Norton. Are these not the two worst software companies?

This being /. , someone's bound to mention Microsoft any minute now...

Re:Nice (1)

cobrausn (1915176) | more than 3 years ago | (#35644382)

Well, you just did. Does that count?

Re:Nice (1)

ArsenneLupin (766289) | more than 3 years ago | (#35644548)

Does that mean that this thread is officially over now?

Re:Nice (1)

cobrausn (1915176) | more than 3 years ago | (#35644598)

... No?

Re:Nice (0)

Anonymous Coward | more than 3 years ago | (#35644812)

Yes it it, you Nazi.

Re:Nice (0)

Anonymous Coward | more than 3 years ago | (#35644478)

Yup, there's some excellent credibility for you. Now can we get Norton to fall on their swords too?

McAfee and Norton. Are these not the two worst software companies?

Mcafee was just in here hocking their IPS as being superior to the competition in EVERY way, you barely have to touch it once installed!

Re:Nice (0)

Anonymous Coward | more than 3 years ago | (#35644532)

mcafee hawks mcafee.

smart users hock mcafee.

Re:Nice (1)

mrbcs (737902) | more than 3 years ago | (#35644880)

Why would anyone steal that shit?

Re:Nice (1)

Desler (1608317) | more than 3 years ago | (#35644854)

The only thing worse are the people who code Slashdot.

The Daily Chimpout (-1)

Anonymous Coward | more than 3 years ago | (#35644334)

Today, featuring Panama City Burger King Chimpout. [youtube.com]

minor (1)

Lord Ender (156273) | more than 3 years ago | (#35644356)

These are all minor security problems... some of which are so minor one could debate whether they should even be classified as security problems at all. Really, this is much ado about little. Any big website will have things like this. Even security experts make mistakes, and most of the staff at McAfee, as with all other big companies, aren't security experts.

Re:minor (5, Insightful)

sconeu (64226) | more than 3 years ago | (#35644476)

most of the staff at McAfee, as with all other big companies, aren't security experts

But the thing about McAfee is that they *do* market themselves as "security experts". Therefore they should be held to a higher standard.

Re:minor (1)

$RANDOMLUSER (804576) | more than 3 years ago | (#35644684)

But the thing about McAfee is that they *do* market themselves as "security experts". Therefore they should be ridiculed as the useless twats they always have been.

Much as I hate "FTFY" posts, I had to Fix That For You.

Re:minor (1)

Lord Ender (156273) | more than 3 years ago | (#35644808)

Show me where the people who manage McAfee's marketing web site are referred to as "security experts." I'll wait.

Re:minor (2)

sqlrob (173498) | more than 3 years ago | (#35644970)

Close enough? [mcafeesecure.com]

Re:minor (2)

flosofl (626809) | more than 3 years ago | (#35644976)

You seem to have a lack of understanding of how enterprise IT/IS actually works. You seem to think people in the marketing dept actually admin the web services for the company? In most modern medium to large (to ginormous) companies, there is a group in IT that is specifically tasked with managing the company's web presence including servers and software. A security group determines policies and practices that the Web group must follow. That same security group vets the services *before* going live and continually monitors and scans the web site for vulnerabilities. Other than content (and perhaps being the "owner"), the Marketing dept is probably not involved at *any* level of the web site.

I actually work in network security, and have for quite a while. It's been like this at every major company (Int'l bank and F500 companies) I've worked for since at least 1998. They most definitely *should* have been aware of these issues. The fact that they tout themselves as a "major security vendor" means these should have been remediated as soon as possible.

Re:minor (1)

donaggie03 (769758) | more than 3 years ago | (#35645044)

Why are you so adamant to absolve McAfee of their own stupidity? If a car is advertised as the fastest car ever, then that's ok because their marketing department isn't full of mechanical engineers?

Re:minor (1)

tnk1 (899206) | more than 3 years ago | (#35646086)

McAfee shouldn't be absolved of their mistakes, but those mistakes should be put into perspective.

If McAfee did happen to make an awesome vulnerability checker (okay, I'll wait while you stop laughing....), then the fact that they simply did not use it on their own site doesn't mean that the product fails, it means that they don't understand how failures in their public presentation can be damaging.

Of course, I don't know if the site checker fails, because I won't go near a McAfee product unless my workplace rams it down my throat (my current one does not). Nevertheless, as embarrassing as having site issues are... and they ARE embarrassing... it only proves that their web team does not know how to plug its holes. Even then, a number of the holes are relatively minor.

I agree that this represents what the police would call "probable cause" to turn a critical eye towards their products, but if you have a good reason to believe their product is right for you, it should not replace a more scientific evaluation. They may well still suit your needs. Or they might be a bunch of corporate monkeys. The important thing is that you did the intelligent thing even if they did not.

Re:minor (1)

MobileTatsu-NJG (946591) | more than 3 years ago | (#35646276)

Why are you so adamant to absolve McAfee of their own stupidity? If a car is advertised as the fastest car ever, then that's ok because their marketing department isn't full of mechanical engineers?

Welllll if you'll indulge me while I play Devil's Advocate for a moment...

It's more like Starbucks claiming that they make the best coffee ever, then having it scientifically proven that their tea is terrible.

It is humourous, but unless I'm really mistaken about the products they offer (and since their site is down I accept the risk that I may be corrected on this), you cannot install McAfee on a weberver and expect it to tell you that a cross-scripting vulnerability exists.

Again, this is just me being Devil's Advocate.

Re:minor (0)

Anonymous Coward | more than 3 years ago | (#35647262)

They have software that scans websites specifically for the crap that made it to their production webserver.

Re:minor (1)

MobileTatsu-NJG (946591) | more than 3 years ago | (#35647336)

Do you mean like a cross-site scripting exploit?

Re:minor (1)

timeOday (582209) | more than 3 years ago | (#35645696)

But the thing about McAfee is that they *do* market themselves as "security experts". Therefore they should be held to a higher standard.

Go ahead and hold them to whatever standard you like. The fact is, computer security in general is completely unmanageable. ALL solutions fix a certain set of problems while not fixing (or creating) others.

Everything I have seen points to an inescapable conclusion: you cannot protect any network of significant size from intrusions and leaks. Nobody has accomplished it for any significant amount of time. Even openbsd can't do it [osnews.com] , and that's on a "default install" which is 0.0001% of the problem faced by any real enterprise.

My point isn't to destroy the important distinction between better and worse - there are important distinctions. But that distinction is lost with the simplistic assertion that "McAfee should know better."

Re:minor (1)

HungryHobo (1314109) | more than 3 years ago | (#35645788)

If they were just another big company that would be fine but when they can't even secure themselves while they're selling the service of securing others it deserves all the ridicule that the people here can dish out.

I can understand other companies not considering security to be a number 1 concern, they've got other things to worry about but a security company has no such excuse.

Re:minor (1)

mysidia (191772) | more than 3 years ago | (#35648546)

These are all minor security problems... some of which are so minor one could debate whether they should even be classified as security problems at all.

You think source code disclosure and XSS are MINOR security problems? Really?

Slashdot (-1)

Anonymous Coward | more than 3 years ago | (#35644376)

News for fucking bastards, stuff that is fucked up the ass of goatse!

what is the deal with intel (1)

jcombel (1557059) | more than 3 years ago | (#35644378)

it seems to me that intel has their stuff together on most things (market domination, monopolistic practices, aggressive vendor bullying, and making decent chips once in a while)
 
i never cared for mcafee's products, but i thought about giving them another shot: if intel thinks it's worth money, maybe it is, right?
 
yet every time i hear the name it's something bad. it was just last year that the false-positive on svchost.exe took down hospitals, schools, and even a few thousand of intel's own PCs that were still running WinXP.
 
what is intel thinking, putting so much money into mcafee? what do they know that we don't?

Re:what is the deal with intel (0)

Anonymous Coward | more than 3 years ago | (#35644438)

Chip level anti virus and I'm sure it was easier for them to just straight purchase Mcafee which has a "good" platform to work with already, than start from scratch.

Re:what is the deal with intel (0)

Anonymous Coward | more than 3 years ago | (#35644830)

svchost is a generic process name that a lot of background tasks, some of which are malicious, run under.

Re:what is the deal with intel (0)

Anonymous Coward | more than 3 years ago | (#35645048)

you don't understand: mcaffe had false-positived svchost -itself- [eweek.com] . thousands went down. quality control heyoooooooooooooooooooooooooooooo

Those holes have purpose... (1)

bogaboga (793279) | more than 3 years ago | (#35644410)

Those 'holes' are intentionally left there. They are for demo purposes as McAfee needs to constantly improve their product. Trust me.

They learn a lot from what users good intentioned and bad do via their site.

Where's the $ (0)

Anonymous Coward | more than 3 years ago | (#35644454)

If anyone has followed IT for these years they've learned how to sell protection. But where's the money in not?

McAfee SECURE CERTIFIED (4, Funny)

BagOBones (574735) | more than 3 years ago | (#35644470)

Don't worry, I checked and the site is McAfee SECURE CERTIFIED
https://www.mcafeesecure.com/RatingVerify?ref=www.mcafee.com [mcafeesecure.com]

Re: McAfee SECURE CERTIFIED (1)

navyjeff (900138) | more than 3 years ago | (#35644758)

Does that make it a tautology? "It's secure; we even checked it ourselves."

Re: McAfee SECURE CERTIFIED (1)

machine321 (458769) | more than 3 years ago | (#35646254)

They tried to teach them, but they couldn't be taut.

Re: McAfee SECURE CERTIFIED (0)

Anonymous Coward | more than 3 years ago | (#35646314)

Does that make it a tautology? "It's secure; we even checked it ourselves."

nope, that it is not a tautology... keep trying and maybe someday you manage to use the word properly

Re: McAfee SECURE CERTIFIED (1)

Americium (1343605) | more than 3 years ago | (#35649804)

More like McAfee infected. One time I got McAfee on my computer, no idea how it happened, but it interfered terribly and was probably one of the hardest things to get rid of.

Safety (0)

Anonymous Coward | more than 3 years ago | (#35644490)

What this suggests is even supposedly safe pages/sites aren't always. if you have script blockers in your browser, for example NoScript in Mozilla firefox
then revoke permissions for this and other sites that are reported as dangerous.

@Nice: Norton frequently fell on their own swords at a local level when I had it installed on my laptop.... iy didn't even recognise not to block its own programs from working/connecting online for updates. #fail

Stay tuned... (0)

Anonymous Coward | more than 3 years ago | (#35644512)

...for the ritual shooting of the messenger.

Vulnerable != Unsafe (2)

nuckfuts (690967) | more than 3 years ago | (#35644560)

the company aggressively markets its own McAfee Secure service that is supposed to assure consumers that McAfee has scanned a website and found it to be safe

There is a difference between whether a website is vulnerable to attacks and whether it's unsafe to view. If I'm going to open a page in my browser, I care whether or not the page is fact dangerous to view at that point in time, not whether it could potentially be made dangerous.

This is not to say I don't give a damn about XSS vulnerabilities and the like. It's simply a different (albeit related) topic.

Re:Vulnerable != Unsafe (1)

BagOBones (574735) | more than 3 years ago | (#35644744)

Part of getting the McAfee SECURE Certification IS passing a vulnerability check, they pass there own check, so clearly their check isn't that good.

"With McAfee SECURE for Websites, your site is scanned daily for thousands of hacker vulnerabilities. McAfee, the largest dedicated security company in the world, does this remotely, without any need for expensive or complicated hardware or software. Once certified to this high standard of security, McAfee SECURE customers showcase their safety status by displaying the McAfee SECURE trustmark."

Re:Vulnerable != Unsafe (0)

Anonymous Coward | more than 3 years ago | (#35644746)

I'd say that something is unsafe to the degree to which it is vulnerable. Minor vulnerabilities probably don't make for a relatively unsafe site, sure... however, to try to push the separation between vulnerability and safety seems to be akin to saying, "But the unstable volcano isn't erupting /right now/."

Re:Vulnerable != Unsafe (1)

LodCrappo (705968) | more than 3 years ago | (#35644930)

"There is a difference between whether a website is vulnerable to attacks and whether it's unsafe to view. If I'm going to open a page in my browser, I care whether or not the page is fact dangerous to view at that point in time, not whether it could potentially be made dangerous."

Sort of like saying you're perfectly happy to drive over bridges that have a decent chance of collapsing, so long as they haven't collapsed at that time? Isn't the issue that a site which is perfectly safe to browse but vulnerable to attack can become unsafe to browse in an instant, just as the unsafe bridge works fine.. until it doesn't?

Re:Vulnerable != Unsafe (1)

nuckfuts (690967) | more than 3 years ago | (#35645170)

Sort of like saying you're perfectly happy to drive over bridges that have a decent chance of collapsing, so long as they haven't collapsed at that time?

No, it's not like that at all. A bridge that has "a decent chance of collapsing" is unsafe.

Isn't the issue that a site which is perfectly safe to browse but vulnerable to attack can become unsafe to browse in an instant,

In the case of web browsing, my main concern is whether a page is safe at the instant I view it, not whether it might become unsafe at a later time.

... just as the unsafe bridge works fine.. until it doesn't?

Again, I'm drawing a distinction between unsafe and vulnerable. The "unsafe bridge" is unsafe - period. I do not want to cross it, even if it's still "working fine".

If you want a bridge analogy, think of it like this: A bridge has a removable metal pin underneath. If someone removes the pin, the bridge will collapse when you cross it. Ideally, there should be a padlock on the pin that prevents removal. The question becomes, is the bridge "unsafe" if the pin is in place but not locked?

Getting back to McAfee, does their security scanner purport to tell you if the pin is in place, or if the pin cannot be removed? Another commenter has shown that McAfee was making both claims, and have therefore failed their own test.

Re:Vulnerable != Unsafe (1)

LodCrappo (705968) | more than 3 years ago | (#35645456)

Maybe it's just semantics. I'd consider most website vulnerabilities to be "unlocked pins" in your example. The reality is that unlike a bridge that has just fallen over, a website which has just been compromised is not easy to spot. I don't trust any tool to detect a compromised website instantly, therefore the potential for compromise seems the most reliable indicator of danger. As for whether McAfee does an acceptable job of any of this, I doubt it.

The old days of McAfee's "secure" FTP site (4, Interesting)

Nimey (114278) | more than 3 years ago | (#35644724)

Back about ten years ago, you used to be able to log into McAfee's FTP server and download their latest for-pay products. IIRC the username was something like "mcafee" and the password was "321". My former boss was a warez puppy and I gather this was commonly known on the scene.

Re:The old days of McAfee's "secure" FTP site (0)

Anonymous Coward | more than 3 years ago | (#35644828)

The username was "licensed", and to my knowledge, still works (though they no longer have all of their products there, just things like virus definitions)

Re:The old days of McAfee's "secure" FTP site (0)

Anonymous Coward | more than 3 years ago | (#35648052)

FYI: That was not a mistake.

Re:The old days of McAfee's "secure" FTP site (1)

Nimey (114278) | more than 3 years ago | (#35651664)

What leads you to believe that?

Misdirection (2, Insightful)

SuperKendall (25149) | more than 3 years ago | (#35644742)

How do you know the McAfee home page is not one giant honeypot? After all they know hackers will be going after them. That's what I'd do if I were them...

Re:Misdirection (2)

Bobfrankly1 (1043848) | more than 3 years ago | (#35644852)

and virtualization being what it is, they could suffer an attack, log all the data, and swap in an HA clone in a matter of seconds. With appropriate monitoring it would be automated.

Re:Misdirection (1)

stumblingblock (409645) | more than 3 years ago | (#35645984)

and virtualization being what it is, they could suffer an attack, log all the data, and swap in an HA clone in a matter of seconds. With appropriate monitoring it would be automated.

does ANYBODY believe that? do you suppose that they suggest this to corporate customers?

Re:Misdirection (1)

TheRedDuke (1734262) | more than 3 years ago | (#35648298)

Pfft. Why would you ever use a virtual machine for security when you make the FINEST security products in the world?

Re:Misdirection (1)

hercubus (755805) | more than 3 years ago | (#35646544)

How do you know the McAfee home page is not one giant honeypot? After all they know hackers will be going after them. That's what I'd do if I were them...

Never attribute to competence that which can be adequately explained by stupidity. [ Krugman's Razor ]

Re:Misdirection (1)

virgnarus (1949790) | more than 3 years ago | (#35647784)

I'm pretty confident that the McAfee home page is a honeypot luring in the unwary...

Re:Misdirection (1)

islon (1864460) | more than 3 years ago | (#35651118)

How do you know the McAfee home page is not one giant honeypot?

Because it tastes like shit...

Re:Misdirection (1)

Just Some Guy (3352) | more than 3 years ago | (#35652400)

That's what I'd do if I were them...

No you wouldn't. If you truly became McAfee, you'd run around screaming "LINUX IS DANGEROUS WITHOUT ANTIVIRUS! WE SLOW YOUR COMPUTER SO YOU DON'T HAVE TO! I EAT PAINT!"

Which is still an improvement over what you'd do if you were Norton.

Curious (1)

Bobfrankly1 (1043848) | more than 3 years ago | (#35644770)

In hockey, the goaltender will intentionally "show" a spot as open, usually the five hole (the space between the legs). The player with the puck, seeing this, will often shoot for the five hole, only to have the prepared goalie close the five hole and stop the puck.

McAfee being what it is, could it be that they are "showing" these security holes in an attempt to goad the black hats into trying their latest tricks and toys on McAfee, who could in turn use that data to reenforce their protection software?

Re:Curious (0)

Anonymous Coward | more than 3 years ago | (#35646120)

lol..google "honey pot" or read above posts

The XSS FAQ (0)

Anonymous Coward | more than 3 years ago | (#35644818)

They've been sloppy and lazy for years (1)

Twon (46168) | more than 3 years ago | (#35644986)

About 5 years ago, I contributed to a paper that brought up a particularly brain-dead thing they did with the auto-update mechanism for their then-current consumer version of VirusScan:

http://www.usenix.org/events/hotsec06/tech/full_papers/bellissimo/bellissimo.pdf [usenix.org]

Long story short -- their ActiveX control exported a wrapper around the Win32 ShellExecute API. What could possibly go wrong? The XSS thing in their help here seems to be of the same "do the simplest thing, damn the consequences" variety; it looks like they've tried to patch the XSS issue but it's pretty weak sauce. Hint to McAfee: Did you know most browsers will load "HTTP://example.com" as readily as "http://example.com"?

Re:They've been sloppy and lazy for years (0)

Anonymous Coward | more than 3 years ago | (#35646308)

This is because the consumer team wears clown shoes.

Most of the core tech is pretty good but the consumer team never met a technology they couldn't completely screw up. I worked for McAfee (not consumer, thankyouverymuch) for quite a stint, the Enterprise and Core teams are decent, largely located in Oregon and the UK, with some in India. The consumer guys are not located in the same sites and their work seems to indicate they have the IQ of monkeys.

Hopefully Intel will split the wheat and chaff.

Re:They've been sloppy and lazy for years (1)

Twon (46168) | more than 3 years ago | (#35651162)

That fits my limited observations pretty much exactly. We looked at their enterprise stuff during the same project and were completely confused why the straightforward, correct stuff over there didn't make it into the consumer version.

Rather unsurprising! (1)

pyrr (1170465) | more than 3 years ago | (#35645060)

McAfee's business model has been "security through rendering your computer nearly inoperative" for over a decade now, anyway. Just wait until the website gets pwned and stops working, and it will have been successfully "protected".

I don't know about you... (1)

CCarrot (1562079) | more than 3 years ago | (#35645288)

...but I love the smell of irony in the morning...afternoon...whatever.

It kinda reminds me of that NOMEX factory that burned down...well, isn't that odd. I remember hearing about that at a safety meeting a couple of years ago, but now I can't find any links to post, none at all...was it all a dream? A deliciously ironic dream?

(I could only wish my dreams were more exciting than creating my own safety meetings in my head...*sigh*)

Umm.. hello? (1)

NitroWolf (72977) | more than 3 years ago | (#35645346)

This is news? McAfee hasn't been secure or even any good at anti-virus since... like... the DOS days. If they ever were. Wern't they the ones who put out a DOS anti-virus kit? Or am I thinking of someone else? If it's someone else, then McAfee has always sucked.

Re:Umm.. hello? (0)

Anonymous Coward | more than 3 years ago | (#35648698)

mcafee, norton, and symantec all had dos antivirus (symantec bought norton in 1990 iirc).

Re:Umm.. hello? (0)

Anonymous Coward | more than 3 years ago | (#35650770)

So you posted your opinion on a product, then you tell us your opinion is based on something you don't know about.

Why'd you post again? God I love the internet.

Complete lack of concern for security (0)

Anonymous Coward | more than 3 years ago | (#35645466)

This doesn't surprise me in the least. The latest McAfee virus scanners run with very high privileges, but don't turn on such basic protections as NXCOMPAT (the no execute bit) and ASLR (Address Space Layout Randomization). These protections are very cheap to enable, and make vulnerabilities much harder to exploit.

No kidding (0)

Anonymous Coward | more than 3 years ago | (#35645758)

Not surprising since McAfee software is a joke, and so is Norton.

hubris (1)

godel_56 (1287256) | more than 3 years ago | (#35646200)

Embarrassing? Yes, especially given that the company aggressively markets its own McAfee Secure service that is supposed to assure consumers that McAfee has scanned a website and found it to be safe.

HBGary, is that you?

How I live with it... (1)

dbcad7 (771464) | more than 3 years ago | (#35647090)

I'm not sure how you people live with this crap.. I get customers all the time whose prophylactic safety net has malfunctioned on them, leaving them without access to the web, or their email.. Yes, I guess not being able to surf and check your email is possibly the safest route for them anyway.. So now you got these dudes looking for problems that will make the next version of funware better, and more complicated, and prone to creating people who can't figure out how come they can't get to Facebook.. The whole security industry is a self perpetuating nightmare... So how do I live with it ? .. I live with it, but taking a chance that someday these hackers will waste their time on trying to make my unpopular OS the same living hell that the users of the popular OS's enjoy.. Someday, they'll get around to us.. but till we become "worth their time", I guess I just have to live with it.

SERVER NOT FOUND (0)

Anonymous Coward | more than 3 years ago | (#35648726)

Ahahahah Server not Found
That only took a few Hours ^_^

Good... (1)

CaptainDefragged (939505) | more than 3 years ago | (#35650280)

...rot in hell McAfee.. after putting up with your crapware TPS at work all day.. f*ck you and f*ck your TPS garbage!

Hope they go bankrupt (1)

hesaigo999ca (786966) | more than 3 years ago | (#35651634)

Sorry, with this last one I hope they go bankrupt....you should be held accountable for your actions, and when you say you are about security, and you do not do the work on your own website...i think it should bring their end. MHO

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?