Bugs in McAfee SaaS product threatens its customers' security

The vulnerabilities could enable hackers to use McAfee SaaS Total Protection customers to relay spam messages

New vulnerabilities found in one of security firm McAfee's products could allow hackers to use its customers' PCs to disseminate spam messages across the internet.

The firm has published a message to its customers warning them of the vulnerability, and assuring them that it is working on a patch.

In it, McAfee, a division of chip manufacturer Intel, explains that the bug affects its SaaS for Total Protection hosted anti-malware product, and that the vulnerabilities will be patched this week.

Dave Marcus, director of security research at McAfee Labs and author of the message, added that the patch will be automatically applied to customers' software upon release, without the need for any manual intervention.

Marcus explained that two vulnerabilities have been found. The first issue enables an attacker to misuse an ActiveX control to execute code. The second allows an attacker to use McAfee's Rumour technology to use an affected machine to send spam.

This peer-to-peer technology is designed to use file-sharing intelligence to distribute security updates within a network. However, it has been discovered that hackers can use it to distribute spam.

"The first issue has much in common with a similar issue patched in August 2011. In fact, the patch delivered then basically cuts off the exploitation path for this issue, effectively reducing the risk to zero."

He admitted that the second issue is still currently a risk, and that this issue will be fixed in the impending patch.

"The second issue has been used to allow spammers to bounce off of affected machines, resulting in an increase of outgoing email.

"Although this issue can allow the relaying of spam, it does not give access to the data on an affected machine. The forthcoming patch will close this relay capability."