Two security issues have been identified in McAfee's SaaS Total Protection anti-malware software suite, one of which could allow an attacker to misuse an ActiveX control to execute code and turn affected PCs into spam servers. The other vulnerability involves a misuse of McAfee's "rumor" technology to allow an attacker to use an affected machine as an "open relay," which could also be used to send spam. Fixes for both are coming.
"This week, there has been public interest regarding some issues disclosed in McAfee products. McAfee treats security issues in our products very seriously, and so our Product Security team will explain the details around these issues," McAfee said in a blog post. "They do not affect all McAfee products, both are in a single product: SaaS for Total Protection, our hosted anti-malware service. We have mitigating factors already in place that reduce risk, and a patch is coming to remediate any additional risk to our customers."
McAfee said it plans to roll out the patch later today after it's finished testing it, and that customers will receive the update automatically.
Credit British art firm Kaamar Limited for exposing the vulnerabilities in a blog post of its own after noticing that it's emails were being blocked and blacklisted.