The patches plug two holes in the anti-malware service: one that could enable an attacker to misuse an ActiveX control to execute code and the second that could allow a spammer to misuse its “Rumor” technology, a peer-to-peer filing sharing technology, to send spam.
The patch for the first issue, similar to one uncovered last year, cuts off the exploitation path, reducing the risk to zero, the company said. The second issue has been used by spammers to bounce off of affected machines, but not to access data on them, McAfee added.
The spam issue came to light when some subscribers reported that service providers had blocked their IP address after detecting an increase in unsolicited emails coming from their computers.
In a recent blog, Keith and Annabel Morrigan warned that their McAfee security product had been hacked and was being used to access illicit sites and send spam. “It is believed that thousands of computers have been compromised so far, with more being affected every day”, they wrote.
In announcing the patches, David Marcus, director of security research at McAfee Labs, acknowledged that there had been “public interest” in flaws discovered in McAfee’s security products. Marcus stressed that the problems only affected the SaaS for Total Protection product and that there is no evidence that customer has been compromised.