back to article McAfee online scan used plain old HTTP to fetch screen elements

McAfee has moved to patch a bug that falls under the “didn’t you get the memo?” category: among other things, its free Security Scan Plus online tool retrieved information over HTTP – that is, in plain text. The potential man-in-the-middle vector exists not in the operation of the free online scan, but in the house ads and UI …

  1. Shadow Systems

    !DOH!

    *FacePalm*

  2. Notas Badoff

    Fool proof

    The only reason that the average Joe is proof against rejecting McAfee is that the average Joe can't grasp just how mindbogglingly stupid this exploit is.

    You know the piping that brings the stove gas into your house? We put a switch at the curb so that your neighbor's kid could pick natural gas, hydrogen sulfide, or hydrogen cyanide. The first is so you can have tea, the second two so you won't have bugs. Convenient, eh?

  3. Anonymous Coward Silver badge
    Facepalm

    Job application: proof reader

    "The image below outlines in red the screen element SecuriTeam’s informant attacked"

    The only images below are links to other articles (or adverts)

    (I can see the intended image on the securiteam article: https://blogs.securiteam.com/index.php/archives/3350 )

  4. adam payne

    #seriously

  5. PyLETS
    FAIL

    Is this model trusting 3rd parties not to be evil ??

    Wow, but I'm not convinced this article has more than scratched the surface of the real security issue, likewise "fixing" it using HTTPS only fixes the 4th party exploit described.

    It's not difficult to understand why a security scanner needs admin access to a system. This context presumably prevents normal sandboxing, as you would get for 3rd party scripts linked through a webpage - though I block such scripts generally. But even if the 3rd party content were provided using HTTPS is it really considered sane for such content to have the same admin access to the PC as the scanner it funds ? It sounds to me like the 3rd parties are probably not just getting access to _show_ you their content. An investigation into whether they are in fact or are capable of _accessing_ likely to be more valuable content on the machine being scanned seems called for.

    Personal data seems likely to be more valuable than the right to display content during a scan or web page view, and it's why I'm refusing so many mobile apps inappropriate rights to access this on my mobile platforms which they don't need in order to deliver the functionality offered.

  6. heyrick Silver badge
    WTF?

    window.external.LaunchApplication("c:\\windows\\system32\\calc.exe", "");

    So... Some JavaScript sent to "a browser" (the lingering ghost of IE?) has the capability of running an external application? Who the bloody effing hell thought that was a good idea?

  7. Anonymous Coward
    Megaphone

    Shock!

    Adverts served may contain malware!

    1. Captain Badmouth
      Alien

      Re: Shock!

      Antivirus programs may serve malware!

      Fixed.

  8. kbutler.toledo

    now i know.... why ATT, my current ISP gave this suite away to all its users

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like