McAfee admits flaws in SaaS for Total Protection

James Stirling News
19 Jan, 2012

The Intel-owned security firm admits to holes in its SaaS anti-malware product, with plans to patch this week.

McAfee has confirmed SaaS for Total Protection contains two vulnerabilities which could let hackers use machines as open relays for spam.

The security company – owned by Intel – admitted the flaws in its hosted anti-malware solution in a blog post, trying to reassure customers the holes were limited to this single product.

The first flaw could allow attackers to “misuse” ActiveX controls in order to execute malicious code. However, the second would enable cyber criminals to use an infected machine as an open relay to distribute spam to other users.

Whilst the first was similar to an issue patched in August last year, meaning the risk for customer data was low, the second hole has been abused by spammers.

“The second issue has been used to allow spammers to bounce off of affected machines, resulting in an increase of outgoing email from them,” wrote David Marcus, director of security research for McAfee.

“Although this issue can allow the relaying of spam, it does not give access to the data on an affected machine.”

McAfee hopes to release a patch to fix both issues this week as soon as it has finished the necessary testing.

“Because this is a managed product, all affected customers will automatically receive the patch when it is released,” added Marcus.

The company claimed there was no evidence of loss or compromise of any customer data due to the two flaws.

Sign up for our free newsletter