McAfee, the anti-virus software maker, admits that two security holes in its SaaS for Total Protection product could grant spammers access to users' computers. The first glitch potentially allows attackers to execute code through an ActiveX command, though an earlier patch for a separate issue renders the exploit unworkable. A second glitch in the company's "rumor" technology allows hackers to turn the computer in question into an "open relay" through which spam could be sent, though they wouldn't have access to the user's data. At least one user has fallen prey to the attack so far. In a post on the company's website, Director of Security Research David Marcus explains the issue, and says that the flaw should be automatically patched by January 19th. While it looks like McAfee has responded to the problem quickly and openly, it's a pretty serious PR gaffe for a security company.
Update: McAfee has let us know that the patch is rolling out now to Total Protection customers, and will "immediately eliminate any security risk."