Intel-owned security company McAfee warned that a flaw in its SaaS for Total Protection software could make its customers' PCs vulnerable to attacks and be used to distribute spam.
The flaw is related to SaaS for Total Protection, McAfee's hosted antimalware service.
Two issues in SaaS for Total Protection have arisen in the past few days. In the first, an attacker might misuse an ActiveX control to execute code. The second involves a misuse of McAfee's "rumor" technology to allow an attacker to use an affected machine as an "open relay," which could be used to send spam.
McAfee has mitigating factors already in place that reduce risk, and a patch is coming soon to remediate any additional risk. Because this is a managed product, all affected users will automatically receive the patch when it is released.
The first issue has much in common with a similar issue patched in August 2011. In fact, the patch delivered then basically cuts off the exploitation path for this issue, effectively reducing the risk to zero.
The second issue has been used to allow spammers to bounce off of affected machines, resulting in an increase of outgoing email from them. Although this issue can allow the relaying of spam, it does not give access to the data on an affected machine.