McAfee admits flaws in SaaS for Total Protection


McAfee has confirmed SaaS for Total Protection contains two vulnerabilities which could let hackers use machines as open relays for spam.

The security company owned by Intel admitted the flaws in its hosted anti-malware solution in a blog post, trying to reassure customers the holes were limited to this single product.

The first flaw could allow attackers to "misuse" ActiveX controls in order to execute malicious code. However, the second would enable cyber criminals to use an infected machine as an open relay to distribute spam to other users.

Whilst the first was similar to an issue patched in August last year, meaning the risk for customer data was low, the second hole has been abused by spammers.

"The second issue has been used to allow spammers to bounce off of affected machines, resulting in an increase of outgoing email from them," wrote David Marcus, director of security research for McAfee.

"Although this issue can allow the relaying of spam, it does not give access to the data on an affected machine."

McAfee hopes to release a patch to fix both issues this week as soon as it has finished the necessary testing.

"Because this is a managed product, all affected customers will automatically receive the patch when it is released," added Marcus.

The company claimed there was no evidence of loss or compromise of any customer data due to the two flaws.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.