McAfee admits, fixes design flaw

The antivirus software selected by more than one-third of companies throughout the United States and Europe was the subject of a serious security flaw earlier this year, leaving its users in the dark. McAfee publicized the flaw and its fix through an apologetic e-mail issued to its customers last week.

The design flaw hinders McAfee’s ePolicy Orchestrator, a corporate edition tool that manages security software throughout thousands of computers within large orgs, including the U.S. Department of Defense, which runs the software for its computer intrusion prevention systems. The flaw makes the software susceptible to hackers looking to control the system to steal data, delete files or store malicious programs. But it does not affect McAfee’s consumer software versions because they do not rely on its centralized management tool for updates to protect against new viruses and threats.

Despite internally discovering the flaw six months ago, McAfee waited until July 14 before notifying their users, days after eEye Digital Security was said to have notified McAfee.

According to AP reports, reps from the Santa Clara, Calif.-based company say McAfee released the update under the guise of new features availability. But some users─unaware of the flaw─opted not to upgrade the software, fearing it could introduce a host of new problems within their orgs. Now McAfee is urging all of its corporate edition customers to upgrade their software.

“McAfee believes in providing the most secure software to customers and worked closely with the private research team to validate that this update solves the security flaw…” the company said in a statement. “The update has been pushed to all live update servers and [has been] available for download since February of this year. This update will remedy the risk associated with this security flaw.”

McAfee Public Relations Manager Erica Coleman says the company recently posted a security bulletin to its Web site. The alert says the Common Management Agent Update 3.5.5 or higher will fix the design vulnerability.

A spokesman for the company said there are no known incidents resulting from the flaw.