Flaw Found in 2006 McAfee Products

A flaw in many of McAfee's security products could open up users to a data exposure risk, security firm eEye Digital Security warned late Monday. Among the programs affected are Internet Security Suite, SpamKiller, Privacy Service and Virus Scan Plus, although the 2007 versions, released Saturday, are immune.

McAfee has confirmed the flaws and is working on a fix, saying a patch would be delivered automatically to subscribers by midweek. No known attacks have been reported to be taking advantage of the vulnerability. Exploit code is not available on the Web, researchers said, thus it's likely no attacks would occur.

"A flaw exists in multiple McAfee consumer products that could allow an attacker the ability to execute arbitrary commands on the vulnerable systems," eEye warned in its advisory.

"This can lead to complete system compromise at which point an attacker could install trojans, modify/delete files, or perform any other activity as a normal logged on user would."

A similarly dangerous flaw was discovered by the firm in May affecting Symantec products. In that issue, after the vulnerability is exploited, a hacker gains access to the command shell and is able to perform just about any action. The hole was patched quickly by Symantec.

eEye had also detected a flaw in McAfee programs protecting business computers in mid-July. However, unlike the consumer vulnerability the issue had been already addressed. McAfee said it did not warn customers of that problem, leading to criticism last month.