Security...
.....it's in the title!
[Nowhere else though.]
McAfee's Enterprise Security Manager (ESM) needs patching, as smartly as you can manage, due to an administrator-level authentication bypass. The advisory here says “a specially crafted username” can get past the Security Information & Event Management logins without authentication, and without a password, “if the ESM is …
You shouldn't be. When I purchased a new ASUS laptop a few months ago, I was handed a free 1 year subscription to McAfee bij a suitably solemn sales person stating this would guarantee my new toy was protected.
I binned it as soon as I got home, but I imagine a lot of people that don't read the likes of El Reg and similar literature see this as a '29.99 Euro freebee' and install it at the first opportunity.
Unortunately, no laws govering the protection of consumers in Belgiumshire include protection from stupidity by salesfolk.
"It's McAfee that our computer needs protection from"
WB of Leeds writes that he paid £49 (ffs!) to renew the "virus protection" on his computer but kept getting messages saying it was at risk and he needed to renew. His wife saw one message and paid again! The messages keep coming. He contacted McAfee "technical" and despite 2 "technicians" spending 2 hrs. on his computer they were unable to download the security software. He then received a phone call from a "manager" who told him they could not load the software because his computer had been infected by a "trojan bug" but it could be removed for £99! When he requested the return of his renewal payments the McAfee rep. put the phone down. This has not yet appeared on the Observer website for 6th Dec., hence my typing it up here- oh my rsi.
Just wondering whether the money was paid to McAfee or to the trojan overlords?
Just as effective in either case, methinks. :)
A couple of large multi-national companies...I won't name them, but one of them bought McAfee a few years back...tend to write special hard coded "trap doors" into complex software, for development purposes. As an example: a few older El Reg readers may recall the Microsoft Office application suite that got distributed with two CD-ROM keys. One key matched the sticker(s) on the package. The other key was "all ones". (11111-11111-11111-11111-11111)
I would guess that one of the McAfee developers forgot to re-enable password checking on a hard coded development access point. Oops.
Truth be told, I'm more concerned that coders/developers routinely defeat system security during development, than I am distressed about this particular exploit.