OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[ISN] McAfee website visited by plague of security locusts

From: InfoSec News (alertsinfosecnews.org)
Date: Wed May 06 2009 - 01:04:33 CDT


http://www.theregister.co.uk/2009/05/05/mcafee_site_bugs/

By Dan Goodin in San Francisco
The Register
5th May 2009

McAfee's website has been has been hit by at least three nasty bugs that
left its customers susceptible to phishing and other types of scams. At
least one remained unfixed at time of writing, more than 24 hours after
it was first disclosed.

The most serious vulnerability, ironically enough, affected McAfee
Secure, a service that certifies the security of sites that conduct
ecommerce and other sensitive transactions. Mike Bailey of the
Skeptikal.org blog found the site suffered from a CSRF, or cross-site
request forgery, that could have allowed attackers to take control of
customer accounts.

McAfee has already fixed the bug, but during the five weeks that Bailey
monitored it, the site continued to bear the McAfee Security logo,
raising questions about just how valuable such a mark is. McAfee Secure,
after all, is designed to pinpoint precisely these types of
vulnerabilities.

It also shines a bright light on the processes McAfee takes to ensure
its websites are free of such hazards. According to Bailey, the
vulnerable application was not designed with the benefit of an SDL, or
secure development lifecycle, which builds products from scratch to make
sure they follow security best practices. He also said that prior to the
bug being reported, McAfee "had never performed a full code review for
web vulnerabilities."

[...]

--
LayerOne 2009, Information Security for the discerning professional.
May 23-24 2009 The Anaheim Marriott in Anaheim, California
Visit http://layerone.info for more information