McAfee patches flaw that turned protected systems into spam relays

McAfee SaaS Total Protection

Security software is an everyday necessity for most people, especially Windows users, businesses, and enterprises. But one of the ironies of security software is that, once in a while, it turns out to be the source of security problems all by itself. The latest instance involves McAfee’s SaaS Total Protection suite, a cloud-based solution designed to provide comprehensive email and and Web filtering along with centralized security management for businesses and organizations. However, McAfee has just had to issue an update to the service to block a flaw that could let attackers execute code on protected machines, and to fix another problem that could potentially enable attackers to turn protected systems into spam relays.

“Two issues in SaaS for Total Protection have arisen in the past few days,” wrote McAfee’s David Marcus in the company’s blog. “In the first, an attacker might misuse an ActiveX control to execute code. The second involves a misuse of our ‘rumor’ technology to allow an attacker to use an affected machine as an ‘open relay,’ which could be used to send spam.”

McAfee says the ActiveX control issue, while new, is similar to a problem the company patched back in August 2011: As long as customers have applied that update, they aren’t vulnerable to the new problem. McAfee has begun rolling out an update for the spam relaying issue, and customers should receive the update soon if they haven’t already.

The Saas Total Protection suite’s “rumor” technology enables protected computers to communicate updates with each other in a fashion like peer-to-peer networking. The idea is to distribute updates automatically in-house on local networks rather than forcing every protected system to grab new updates from McAfee, potentially straining an organization’s Internet connectivity. According to reports, the service installs itself even if users don’t specifically ask for it, and while it can be shut down using Windows’ built-in administrative tools it gets restarted whenever McAfee delivers a software update.

Although the spamming vulnerability never put data on protected machines at any risk, attackers were able to use the rumor service to essentially bounce email messages off the protected systems, making it appear to the rest of the Internet that the McAfee-protected computers were the origin of the spam, rather than the attackers themselves. As a result, some McAfee users were mysteriously finding their machines and networks blocked by spam filters — in one case, apparently by McAfee’s own antispam technology within the organization.

McAfee was acquired by Intel in 2010.