McAfee patches critical flaw in corporate products

Security hole in ePolicy Orchestrator and ProtectionPilot could let an outsider take complete control of a system.

McAfee has patched a "critical" flaw in its ePolicy Orchestrator and ProtectionPilot software that could enable an intruder to take over a vulnerable system. The problem affects ePolicy Orchestrator version 3.5.0 Patch 5 and earlier, and ProtectionPilot 1.1.1 Patch 2 and earlier, the security provider said in an advisory Monday.

The problem lies in the HTTP server component of the corporate security products, according to an advisory sent to subscribers to Symantec's Deepsight service. A remote attacker could send a malicious HTTP GET request containing code to overflow the buffer on a vulnerable machine and fully compromise it, Symantec said. It noted that an exploit for the hole is already in circulation.