Product Security Bulletins

 

Learn more about our product software security practices

Download Now

McAfee is highly focused on ensuring the security of our customers' computers, networks, devices, and data. We are committed to rapidly addressing issues as they arise, and providing recommendations through security bulletins and knowledgebase articles.

Submit a Virus Sample Contact Technical Support Contact PSIRT
McAfee is aware of the DoubleAgent attack which impacts all Windows programs.

McAfee products have self-protection mechanisms to help mitigate such attacks, and are being reviewed for additional protections.

For more information see this Blog, SB10193, and KB88085.
Security Bulletins

If you have information about a security issue or vulnerability with a McAfee or Intel Security product, please send an email to PSIRT@McAfee.com. Encrypt sensitive information using McAfee's PGP public key.
Please provide as much information as possible, including:

  • Discoverer’s contact information :
    • Name (either full name or nickname)
    • Physical address (with at least state-level accuracy)
    • Affiliation / Company
    • Email address
    • Phone number
  • Product information:
    • The products and/or hardware versions affected (build number, if known)
    • Operating system, if known
    • Software and/or hardware configuration
  • Vulnerability information:
    • Detailed description of the vulnerability
    • Sample code that was used to create / verify the vulnerability
    • Information on known exploits
    • CVE number if vulnerability has already been filed
    • URL or link to further information that may help engineering analyze or identify root cause
  • Communication plans:
    • Disclosure plans (dates and venue)
    • Permission to be acknowledged as the discoverer in the security bulletin

A member of the McAfee Product Security Group (PSG) and/or Product Security Incident Response Team (PSIRT) will review your email and contact you to collaborate on resolving the issue.

Triage

All product vulnerabilities are handled by the McAfee Product Security Group. For other issues, please contact one of the teams below:

IT application and web application vulnerabilities are handled by McAfee Global Security Services’ (GSS) Security Operations Center (SOC).

IT application or web vulnerability
McAfee Security Operations Center (SOC)
Email: abuse.report@mcafee.com
Phone: +1 972-987-2745

External queries on performance of currently shipping products are handled by McAfee Technical Support.

Product or software performance, or subscription issue
McAfee Technical Support
Web: http://www.mcafee.com/au/support.aspx

Virus and malware samples are handled by McAfee Labs.

Submit a virus sample
McAfee Labs
Email: virus_research@mcafee.com
Web: http://www.mcafee.com/au/threat-center/resources/how-to-submit-sample.aspx

Contact McAfee PSIRT
Email: PSIRT@McAfee.com
Phone: +1 408-753-5752

PSIRT Policy Statements

Actionable
McAfee will not announce product or software vulnerabilities publically without an actionable workaround, patch, hotfix, or version update; otherwise we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For vulnerabilities with a lot of media attention, such as HeartBleed, we will post a banner stating our awareness and actions.

No Favorites
To be fair, McAfee discloses product vulnerabilities to all customers at the same time. Large customers typically do not get advanced notice. Advanced notice may be granted by the PSG on a case-by-case basis and only with a strict NDA.

Discoverers
McAfee gives credit to vulnerability discoverers only if:

  • They desire to be identified as a discoverer.
  • They did not “zero day” us or make their research public before the SB or KB is published.

Organizations, individuals, or both may be identified as discoverers.

CVSS Scoring
The most current Common Vulnerability Scoring System (CVSS) version is to be used. CVSS v3 is currently being used.

All security bulletins must include the CVSS scores for each vulnerability as well as the associated CVSS vectors. The base score is required. Both temporal and environmental scores are optional. Ideally base scores should match the scores assigned by NIST to CVEs.

Support Notification Service (SNS) Message
A Support Notification Service (SNS) message, notice, or alert is required for all security bulletins. This is a service that McAfee Enterprise Support customers rely upon as well as other customers.

To subscribe to SNS text alerts, go to the SNS Request Center and “Create a New Account.”

Response Policy
McAfee’s fix and alert response depends upon the highest CVSS base score.

Priority (Security)CVSS v2 ScoreTypical Fix ResponseSNS
P1 - Critical 8.5-10.0 High Hotfix Alert
P2 - High 7.0-8.4 High Patch Notice
P3 - Medium 4.0-6.9 Medium Patch Notice
P4 - Low 0.0-3.9 Low Version Update Optional
P5 - Info 0.0 Will not fix. Informational. NA


External Communication Mechanisms
McAfee’s external communication mechanism depends upon the CVSS base score, the number of customer inquiries, and the amount of media attention.                                    

  • SB = Security Bulletin (4-10)
  • KB = KnowledgeBase Article (2-4)
  • SS = Sustaining Statement (0-4)
  • NN = Not Needed (0)
 CVSS = 0
Low
0 < CVSS < 4
Low
4 ≤ CVSS < 7
Medium
7 ≤ CVSS ≤ 10
High
External Disclosure (CVE) KB if multiple inquiries, else NN KB SB, SNS SB, SNS
Customer Disclosure SS SS SB, SNS SB, SNS
Internal Disclosure NN Document in release notes SB (post-release), Document in release notes SB
(post-release), Document in release notes


Crisis Scenarios
For publicly known high-severity vulnerabilities affecting multiple products, a security bulletin may be published with a patch for one product, and then updated later with other patches and descriptions for the other products as they become available.

Security bulletins with multiple vulnerable products will list all products, enterprise and consumer, in the following categories:

  • Vulnerable and updated
  • Vulnerable and not yet updated
  • Vulnerable but low risk (given standard deployment best practices)
  • Not vulnerable
  • Being investigated (optional)

Security bulletins are not usually published on Friday afternoons, unless it is a crisis scenario.

Vulnerability vs. Risk Scores
McAfee participates in the industry-standard CVSS vulnerability scoring system. CVSS scores should be considered as a starting point to determine what risk a particular vulnerability may pose to McAfee's customers. The CVSS score should not be confused with a risk rating of the seriousness of vulnerabilities that may occur in McAfee products or the associated runtime environments on which McAfee products execute.

Starting with the CVSS score, McAfee uses "Just Good Enough Risk Rating" (JGERR) to rate the risk of any potential issue that may impact McAfee products. JGERR became a SANS Institute Smart Guide in 2012. JGERR is based upon "Factor Analysis of Information Risk" (FAIR), an Open Group standard. When rating risk with JGERR, additional factors such as the presence and activity of threat agents, attack vectors, exposure of a vulnerability to threat agents, the ease or difficulty of exploiting the vulnerability, and any impacts from exploitation are all factored into the risk analysis. Vulnerability in isolation is just one aspect of an McAfee risk rating.

The CVSS base score determines our initial response to a given incident. The McAfee risk rating determines how quickly we deliver a patch or update.

Security Bulletins may contain product lists with the following designations: Vulnerable, Not Vulnerable, Vulnerable but Not Exploitable, and Vulnerable, but Low Risk. The list below describes what each of these categories means in terms of potential customer impact:

  • Vulnerable: A product contains a verified vulnerability. The vulnerability poses some level of risk to customers. The associated CVSS score may be taken as an indication of the seriousness of impact from exploitation of the vulnerability in typical deployment scenarios.
  • Not Vulnerable: A product does not contain the vulnerability or the presence of a vulnerable component cannot be exploited in any manner. Use of the product presents no additional risk for customers.
  • Vulnerable, but Not Exploitable: A product contains the vulnerability, perhaps as an included library or executable in the image, however the product provides sufficient security controls such that the vulnerability is not exposed to threat agents making exploitation of the vulnerability very difficult to impossible. Use of the product presents no additional risk for customers.
  • Vulnerable, but Low Risk: A product contains the vulnerability, perhaps as an included library or executable in the software image, however the impact from exploitation is negligible and provides no additional attacker value from exploitation. Use of the product likely presents little additional risk for customers using the product in recommended and typical deployment scenarios.