SUNNYVALE, Calif., March 14, 2007 - Fortinet® - a pioneer and leading provider of unified threat management (UTM) solutions - today announced that its Fortinet Global Threat Research Team discovered multiple vulnerabilities in McAfee™ ePolicy Orchestrator and ProtectionPilot. The vulnerabilities allow attackers to take over the affected system by providing a malicious Web page from a controlled Web site. When the user browses the Web page from a machine with the affected products, maliciously formed data causes a buffer overflow leading to arbitrary command execution with the privileges of that user.

The vulnerability affects users of the following specific software:

• McAfee ePolicy Orchestrator 3.6.1 and earlier
• McAfee ePolicy Orchestrator 3.6.0 Patch 5 and earlier.
• McAfee ePolicy Orchestrator 3.5.0 Patch 7 and earlier.
• McAfee ProtectionPilot 1.5.0.
• McAfee ProtectionPilot 1.1.1 Patch 3 and earlier.

McAfee™ users should immediately apply the update provided by McAfee™ on March 13, 2007. Fortinet's security research team was critical in discovering this vulnerability, as noted in the McAfee Security Bulletins:

• https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612495
• https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612496

For more information on these vulnerabilities, please visit Fortinet's FortiGuard™ Center at http://www.fortiguardcenter.com/advisory/FGA-2007-03.html.

For ongoing threat research, bookmark the FortiGuard Center (http://www.fortiguardcenter.com/) or add it to your RSS feed by going to http://www.fortinet.com/FortiGuardCenter/rss/index.html. To learn more about FortiGuard Subscription Services, visit http://www.fortinet.com/products/fortiguard.html