McAfee isn't "McAfee Secure" or "Hacker Safe"

McAfee isn't "McAfee Secure" or "Hacker Safe"

Summary: In my most recent discussion on McAfee, I posted a talkback to Russ McRee stating, tongue in cheek mind you, that it'd be interesting to see an XSS or SQL Injection on McAfee's site, see if they are indeed "McAfee Secure". Well, I guess you get what you ask for...

TOPICS: Security, CXO

In my most recent discussion on McAfee, I posted a talkback to Russ McRee stating, tongue in cheek mind you, that it'd be interesting to see an XSS or SQL Injection on McAfee's site, see if they are indeed "McAfee Secure". Well, I guess you get what you ask for...

Russ McRee on his Hollistic InfoSec Blog posted the following:

"A challenge was put forth on Zero Day, and it has been answered. Apparently, McAfee doesn't care about XSS on their own sites either. I'll let the video speak for itself.

For the love of all things good and proper, McAfee, please address this issue...for yourselves and the consumers who look to you to do the right thing.

Sincerely, Russ McRee"

Yess, that is what you think it is, it's video of an XSS exposure on one of McAfee's sites.  I'm not sure what to think about this... clearly, from some of McAfee's previous comments, we can reasonably assume that they don't truly understand how big of an issue XSS is; further, I find it a bit disturbing that they aren't running McAfee Secure on their own sites if it is in fact a product that they are confident in selling off to customers. So I think we have one of two possibilities here:

1.) McAfee is not using their own security tool on their own sites... hmm, that really spells brand confidence, doesn't it? 2.) McAfee is using the tool, but the tool doesn't do an adequate job of reporting security issues.

Now, I'm not one to say that I'm free of XSS... I'm fairly positive that ZDNet has XSS issues, but that's not the point. The point is, I don't try to sell a tool that is the magic silver bullet for protecting web applications, nor do I certify any of those applications by saying they are "Hacker Safe" or "Nate McFeters Secure".

I think it is time that McAfee change its stance about XSS... it is a major issue and it deserves attention, certainly from a tool that certifies an application as being "Hacker Safe".  I think it's also time they change their stance about their certification tool altogether... a simple scan will never be able to catch all the issues a web application faces.


Topics: Security, CXO

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • McAfee not a security company

    I've been saying this for a while, albeit mostly regarding Symantec. This still applies to McAfee, though: An antivirus company, does not a security company make.
    Though still an unpopular idea, the concept of antivirus does not comply with standard, universal security principles.
    As a result, most AV vendors - Symantec, McAfee, etc - still have not accepted those principles which are commonly accepted outside of the AV world... These companies simply DO NOT GET IT.
    Time to throw them out of the halls of security companies - stop calling them that!
    • You are correct.

      These companies are not basically security companies when they started but through acquisitions and mergers become a conglomerate of anti-virus, anti-spyware, firewall, and other "security" applications but the management just wants sell something for profit and not seeing what the product does and improving this product. This is what McAfee is doing, they are looking recouping the cost of the acquisition and not wanted to improving/fixing the product the acquired.
  • NMF Secure - consider the revenues...


    Surely if you build it, they will come, right? Consider the revenue stream.

    Seriously, though, it is hard to think of a company which sells AV + other system protection tools which itself is not secure, or at least their websites.

    Then again, I'm sure many people have been disconnected while on hold to complain ro ask for help fromt he telephone company, yet they keep going back. This is the definition of irony.

    Some will say that they are not a security company. While they may specialize in certain aspects of security, I think it is inaccurate to say that they are not a security company. Run Windows without antivirus and surf the web for an hour and see how secure your computer remains.

    For the record, I have avoided McAfee for years as I have felt that other products were superior. On my Windows boxes now I use Trend Micro, and have had great results.
  • RE: McAfee isn't

    "Not eating their own dog food" my old VP used to say.
    "I wouldn't eat at an 5-star rated restaurant if the chef, waiter people or management doesn't eat there" Walter E. Williams, PhD.
    Most wise people would look if the company that sells the product uses the product itself before they will buy it.
    Unfortunately McAfee's management does feel that way and the people who buy their products don't care long they have an "badge" on their website so they can show that the users are "protected". As we, the tech community, is showing that the "King has no clothes" and now McAfee is back peddling and re-badging this solution but not wanted to put true effort into fixing the problem which would eventually pay more rewards.However with McAfee's management fixing the real problem is too expensive so re-badging is quick and cheap solution and those who are not tech savvy will be duped into buying the "re-clothed" solution.
    • New cert: "Nate McFeters Safe"

      I'm thinking of actually creating my own certification, "Nate McFeters Safe". You can purchase the image for only $9.95 per month, and it signifies that your site is safe from Nate McFeters, as he will not attempt to hack it when he sees his logo brandished.

  • did they fix them?

    I was just checking their site. They seem to have fixed those.
  • RE: McAfee isn't

    I'd like to agree and add an example.

    McAfee's SiteAdvisor has falsely tagged our website and
    many other innocent websites as sources of "unsolicited
    emails" which is reported on Yahoo's search engine. All
    three companies have been non-responsive, arrogant and
    accept no responsibility when these errors are pointed out
    - preferring instead to blame us victims. Lots of details
    and links to blogs and other victims at