For the fifth time in two months, security researchers have publicized a serious flaw in a widely used virus-scanning program.
The vulnerability affects McAfee's Antivirus Library, a collection of common code shared among the security software company's various virus scanners, including GroupShield for mail servers and VirusScan for PCs. An attacker could use the flaw to cause a vulnerable system to run a file instead of scanning it for malicious code.
While the company just learned of the issue recently, an update offered to corporate customers in November and consumers in December added security measures that fixed the problem.
"Once the update was released, all current subscribers got the fix," said Marc Solomon, senior product manager for McAfee. "For anyone who is no longer a subscriber, this is a reminder to renew."
The flaw is the fourth antivirus security vulnerability found by Internet Security Systems, which sells software and hardware to protect networks and corporate PCs. The company also has found flaws in the antivirus libraries developed by security software companies Symantec, F-Secure and Trend Micro. Another flaw in Computer Associates International's antivirus software was discovered by security firm eEye Digital Security.
Internet Security Systems would not specify how the problems were found, but a representative stressed that the company didn't target the products.
Users of McAfee's virus scanning software, also known as an engine, are vulnerable only if the software has not been updated through a current subscription and the person has not downloaded the latest virus definitions file, or DAT, from the company.
The flaw could be exploited using any type of network traffic that is scanned by a McAfee product, including e-mail, Web browsing and Windows file sharing. When the vulnerable software attempted to open a malicious file, the software would instead run the program included in the file.
The flaw occurs in how McAfee's software, based on the older library, scans files that are compressed using a format known as LHA. A specially crafted file, when scanned by vulnerable McAfee software, can execute its program.
I assert this article makes a case for software implied-warranty laws. A product was sold with the implied promise that it protects the buyer's computer; it should not expose the protected computer to new threats. Moreover, the buyer should not be forced to pay for a working version of the software. The principle is the same as automobile "lemon laws" and laws that enforce implied warranties that override manufacturer's serviceability disclaimers. Shrink-wrap and servisability disclaimers are too prevalent in the software industry.
Wouldn't it be funny, if some of these companies end up getting sued because they put out "joke" software. Were they say what they have will protect your system but in reality it's made to expose your systems flaws?
Wait there should be a "quack" law for security software. Some companies are legit and god bless em. but they need to deal with the ones that put software out that doesn't actually protect.
Chinese authorities have reportedly taken iPads from a third-party retailer, a move apparently brought on by Apple's continued refusal to honor a trademark for the iPad name owned by a Chinese manufacturer.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
After a higher-than-expected fourth quarter, the video subscription service unburdens itself of a pending yearlong class action suit and settles for $9 million.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
This week, we pass around Sony's new PlayStation Vita for some hands-on testing, check out HP's newest Beats Audio laptop, and debate the best and worst Valentine's Day gadget gifts.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
Wait there should be a "quack" law for security software. Some companies are legit and god bless em. but they need to deal with the ones that put software out that doesn't actually protect.