McAfee will release a fix this week for a bug in its SaaS for Total Protection anti-malware service that scammers were using to distribute spam, the company said today.
The problem came to light after McAfee customers reported in blog posts and forum sites that spammers were using a hole in McAfee's RumorServer relay service to secretly send spam from their machines. The customers said they noticed the problem after their e-mails were blocked by e-mail providers and their IP addresses appeared on blacklists.
The problem is isolated to the SaaS Total Protection service, according to David Marcus, director of security research at McAfee Labs. There is no evidence that any customer data has been lost or compromised as a result of the problem, he said.
"The patch will be released on January 18 or 19, as soon as we have finished testing," Marcus wrote. "Because this is a managed product, all affected customers will automatically receive the patch when it is released.
There are two issues with the software. One vulnerability could allow an attacker to misuse an ActiveX control to execute code on victim's computer. The second one, which is the issue the customers complained about, allows an attacker to misuse the "open relay" technology in the software.
"The first issue has much in common with a similar issue patched in August 2011," Marcus wrote. "In fact, the patch delivered then basically cuts off the exploitation path for this issue, effectively reducing the risk to zero. Because of this, customer data is not directly at risk."
"The second issue has been used to allow spammers to bounce off of affected machines, resulting in an increase of outgoing email from them. Although this issue can allow the relaying of spam, it does not give access to the data on an affected machine," he said. "The forthcoming patch will close this relay capability."