Vulnerabilities Patched in McAfee SaaS for Total Protection

This week, there has been public interest regarding some issues disclosed in McAfee products. McAfee treats security issues in our products very seriously, and so our Product Security team will explain the details around these issues. They do not affect all McAfee products, both are in a single product: SaaS for Total Protection, our hosted antimalware service. We have mitigating factors already in place that reduce risk, and a patch is coming to remediate any additional risk to our customers. The patch will be released on January 18 or 19, as soon as we have finished testing. Because this is a managed product, all affected customers will automatically receive the patch when it is released. We have no evidence of loss or compromise of any customer data in relation to either of these issues.

Two issues in SaaS for Total Protection have arisen in the past few days. In the first, an attacker might misuse an ActiveX control to execute code. The second involves a misuse of our “rumor” technology to allow an attacker to use an affected machine as an “open relay,” which could be used to send spam.

The first issue has much in common with a similar issue patched in August 2011. In fact, the patch delivered then basically cuts off the exploitation path for this issue, effectively reducing the risk to zero. Because of this, customer data is not directly at risk.

The second issue has been used to allow spammers to bounce off of affected machines, resulting in an increase of outgoing email from them. Although this issue can allow the relaying of spam, it does not give access to the data on an affected machine. The forthcoming patch will close this relay capability.

[Update: the patch for the spam issue is now rolling out to customers, and everyone should have the update shortly]