eEye Warns of Worm Hole in McAfee Anti-virus Products



A code execution vulnerability in software products sold by Internet security vendor McAfee could put millions at risk of computer takeover attacks, according to a warning from eEye Digital Security.

The flaw affects fully patched versions of all McAfee consumer security products, including the company's flagship McAfee Internet Security Suite 2006.

eEye Chief Hacking Officer Marc Maiffret, in Aliso Viejo, Calif., said his company is withholding technical details on the vulnerability until McAfee completes work on a patch.


Maiffret said the issue was discovered and reported to McAfee on July 19.
"This vulnerability can be used to compromise systems running these McAfee consumer products and allow attackers to run code with the ability to modify/delete files [or] backdoor systems," Maiffret said in an e-mail exchange with eWEEK.


In keeping with its disclosure policy, eEye has posted a deliberately vague advisory on the bug.

Maiffret said his company's researchers were able to successfully compromise the following products: McAfee Internet Security Suite 2006, McAfee Wireless Home Network Security, McAfee Personal Firewall Plus, McAfee VirusScan, McAfee Privacy Service, McAfee SpamKiller and McAfee AntiSpyware.


From:
http://www.eweek.com/article2/0,1895,1997344,00.asp