McAfee promises to patch SaaS for Total Protection flaws

Security vendor McAfee has revealed it is in the process of rolling out a patch to fix two newly discovered flaws in its hosted anti-malware service SaaS for Total Protection.

McAfeeLabs director of security research Dave Marcus, explained that the patch would be rolled out automatically in the next day.

"Two issues in SaaS for Total Protection have arisen in the past few days. In the first, an attacker might misuse an ActiveX control to execute code," he explained.

"The second involves a misuse of our ‘rumor' technology to allow an attacker to use an affected machine as an ‘open relay', which could be used to send spam."

Marcus said that the first issue cannot actually be exploited by hackers thanks to a path rolled out in August 2011, which addressed a similar flaw.

"The second issue has been used to allow spammers to bounce off affected machines, resulting in an increase of outgoing email from them," he added.

"Although this issue can allow the relaying of spam, it does not give access to the data on an affected machine. The forthcoming patch will close this relay capability."

News of the vulnerability was first disclosed on Monday by the unusual source of art and design web site Kamaar.com.

It's not been a good week for the big two of the security industry, McAfee and Symantec. Alongside Intel-owned McAfee's disclosure on Wednesday, market leader Symantec was forced to back-track on previous statements and admit that its network was breached in an attack in 2006.

The security giant is also being sued in the US by a consumer claiming the firm uses scareware tactics to persuade potential customers to buy its products.