!DOH!
*FacePalm*
McAfee has moved to patch a bug that falls under the “didn’t you get the memo?” category: among other things, its free Security Scan Plus online tool retrieved information over HTTP – that is, in plain text. The potential man-in-the-middle vector exists not in the operation of the free online scan, but in the house ads and UI …
The only reason that the average Joe is proof against rejecting McAfee is that the average Joe can't grasp just how mindbogglingly stupid this exploit is.
You know the piping that brings the stove gas into your house? We put a switch at the curb so that your neighbor's kid could pick natural gas, hydrogen sulfide, or hydrogen cyanide. The first is so you can have tea, the second two so you won't have bugs. Convenient, eh?
Wow, but I'm not convinced this article has more than scratched the surface of the real security issue, likewise "fixing" it using HTTPS only fixes the 4th party exploit described.
It's not difficult to understand why a security scanner needs admin access to a system. This context presumably prevents normal sandboxing, as you would get for 3rd party scripts linked through a webpage - though I block such scripts generally. But even if the 3rd party content were provided using HTTPS is it really considered sane for such content to have the same admin access to the PC as the scanner it funds ? It sounds to me like the 3rd parties are probably not just getting access to _show_ you their content. An investigation into whether they are in fact or are capable of _accessing_ likely to be more valuable content on the machine being scanned seems called for.
Personal data seems likely to be more valuable than the right to display content during a scan or web page view, and it's why I'm refusing so many mobile apps inappropriate rights to access this on my mobile platforms which they don't need in order to deliver the functionality offered.