"It's your classic communications faux-pas," Mike Rothman, owner of industry analyst firm Security Incite, said today. "Customers put a lot of trust in folks who provide software for them and they expect you to be up front and come clean when things like this happen."
The bug, which affects the vendor's ePolicy Orchestrator (EPO), could allow attackers to compromise systems and execute malicious code. EPO, one of the most widely deployed enterprise security solutions, runs from a centralized location and lets administrators enforce policy, deploy agents and monitor security.
The vulnerability was fixed in February, but at the time, McAfee passed off the update as containing new features, not repairing a security hole, security experts said. As a result, many organizations chose not to update, although experts do not think the flaw affected any users.
Last week, McAfee finally admitted to the vulnerability and urged customers to update their solution after researchers from eEye Digital Security exposed the problem.
"McAfee apologizes for any unintended impact to customers as a result of this published vulnerability. We know that our ability to protect customers quickly in the event of an outbreak depends largely on your confidence in our work," the company said in an email to clients, as reported today by the Associated Press.
In an advisory, eEye criticized McAfee for not disclosing the vulnerability to customers.
"Fixing an extremely critical vulnerability without the proper notification is a disservice to customers," the advisory said. "The mindset of most customers, especially when dealing with agent software, is to use what works. This creates a scenario where organizations would potentially choose to stick with their current deployments, rather than redeploying hundreds, if not thousands, of new agents for what would appear to solely contain innocuous feature updates."
Representatives from McAfee did not immediately return a telephone call seeking comment.