McAfee has changed its official response on how many enterprise customers were affected by a bug that caused havoc on computers globally.
A McAfee update released on Wednesday caused computers using Microsoft's Windows XP Service Pack 3 to incorrectly identify a legitimate operating system component as containing a virus. Affected computers experienced networking problems or repeated rebooting. McAfee has since removed the buggy update code from the company's servers.
McAfee's executive vice president, Worldwide Technical Support & Customer Service, Barry McPherson said on an official McAfee blog yesterday that the problem wasn't widespread. "We believe that this incident has impacted less than one half of 1 per cent of our enterprise accounts globally and a fraction of that within the consumer base," he said.
But today the mention of "less than one half of 1 per cent" appears to have been modified. "We believe that this incident has impacted a small percentage of our enterprise accounts globally and a fraction of our consumer base home users of products such as McAfee VirusScan Plus, McAfee Internet Security Suite and McAfee Total Protection," the blog now states.
The reason for the removal was "to restate number of customers impacted", according to the blog.
"They've probably taken the safe path and I strongly suspect that the numbers that they had [on their blog] were just a guess and they've now realised it's pretty hard to defend a guess, so we better go with something vague instead," IBRS analyst James Turner said of the change.
He slammed McAfee for not being sure that the update would work on one of the world's most popular operating systems, Windows XP. "It was just completely disgraceful," he said. "And the reason why it's disgraceful is when you get a false positive like this it becomes as expensive to corporations as if it were a genuine attack."
He also said it didn't take too many instances like this to "completely throw your total-cost-of-ownership calculations", causing companies to question whether their investment in antivirus software was causing more harm than good. "I can imagine a lot of people looking at the balance sheets going 'wow, that was expensive for us'," Turner said.
On the topic of best practice, Turner said that although security vendors suggest companies deploy patches straight away, he advised clients the opposite.
"The vendors are going to be saying you need to get it out there because of the risk of being affected is just so horrific. I take a different view, and I'm saying 'Look, there's malware coming out faster than you can bring out a patch'.
"If we expect we've already got a window of opportunity, holding that door open for just a little bit longer and testing the patch makes more sense, particularly when this sort of thing can happen.
"I don't believe that best practice includes straight deployment," he said, but instead having a good change program in place for internal testing before deployment.
The fact that the problem was on machines running Microsoft's Windows XP Service Pack 3 meant "there clearly wasn't sufficient testing done" on the patch before it was put out, according to Turner. "It's like 'Oh my god, how many of those are there in the world? There's stacks'," he said.
Australian supermarket chain Coles was yesterday hit by the McAfee bug, affecting 10 per cent of its point of sales terminals and forcing it to shut down stores in both WA and South Australia. The Commonwealth Bank of Australia and Virgin Mobile also confirmed they were hit by the bug.
McAfee has been contacted for comment, but had not responded at the time of writing.