Researchers disclosed on a public security e-mail list today three vulnerabilities in the Web site of security firm McAfee, whose site has been found to have bugs several times before.
The YGN Ethical Hacker Group told the Full Disclosure list that it had reported the problems to McAfee on February 10 and two days later the company said it was working to resolve them. The group disclosed them publicly after noticing that they remained open this weekend--a month and a half later.
McAfee says it is aware of the vulnerabilities and is working to fix them. "It is important to note that these vulnerabilities do not expose any of McAfee's customer, partner or corporate information," the company said in a statement. "Additionally, we have not seen any malicious exploitation of the vulnerabilities."
McAfee characterized the vulnerabilities as:
Cross Site Scripting in download.mcafee.com. "In a worst case scenario this vulnerability could allow attacks that spoof the McAfee brand by presenting a URL that looks like it directs to a McAfee Web site but in fact directs elsewhere."
Information disclosure on www.mcafee.com. "This issue gives some detail on an internally used application to measure Web traffic, but doesn't disclose any proprietary information or any customer information."
Information disclosure on download.mcafee.com. "This issue provides access to the source code for some of the interactive pages on our Web site, but this also does not disclose any sensitive information or any customer information."
"McAfee has strict policies in place for its own Web sites and for services provided by third parties," the company said. "We are investigating how these particular vulnerabilities were not identified in our screening process and will adjust our processes if necessary."
McAfee has had problems with holes in its sites before, including in 2009 when certain customer accounts were exposed by cross-site scripting and cross-site request forgery vulnerabilities, in 2008 and last year.