Flaws on McAfee's website leave it vulnerable to cross-site scripting and other attacks, security researchers warn.
YGN Ethical Hacker Group also discovered various lesser information disclosure bugs on the security firm's website, according to an advisory published on a full disclosure mailing list on Monday.
YGN said it published the details only after notifying McAfee privately of the problems back on 10 February.
Cross-site scripting (XSS) flaws create a means to present content from a third-party website in the context of a vulnerable site. The class of flaw, which is a perennial problem in website development, creates a possible mechanism to mount phishing attacks or other sorts of malfeasance.
In a statement, McAfee said no harm had come of the vulnerabilities, which it said it was in the process of fixing.
Early on Monday March 28, 2011, various online news outlets reported on vulnerabilities in McAfee Web sites. McAfee is aware of these vulnerabilities and we are working to fix them.
It is important to note that these vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities.
McAfee along with other security vendors have had problems in this area in the past. For example, security enthusiasts at XSSed found cross-site scripting bugs on the websites of McAfee, Symantec and VeriSign back in 2008.
Programming errors that give rise to XSS vulnerabilities are nothing out of the ordinary, but the industry is entitled to hold McAfee to a higher standard than other organisations, especially given it markets its McAfee Secure service as a way for enterprises to identify problems on their websites. ®