A spokesman for Secure Elements said the vulnerabilities in question had been reported to the company in November 2005 by one of its customers. Since then, all of the flaws have been patched and the company has been working since January to migrate all of the customers affected by the flaws to a fully patched version of the product.
"This is no longer an issue," said Scott Armstrong, vice president of product marketing at Secure Elements. "The reality is that the [affected product] is no longer being used by any of our customers. It is not available."
US-CERT Tuesday published vulnerability notes detailing 19 flaws in Version 2.8.0 of Secure Elements' C5 EVM vulnerability management suite. The product was previously known as C5 AVR.
Among the flaws listed by US-CERT were those that allowed sensitive information to be transmitted in clear text between the AVR server and client product, the presence of hard-coded user IDs and passwords in the AVR server, and access control and authentication vulnerabilities.
Armstrong said the vulnerabilities were uncovered last November by the Computer Incident Response Team at the National Oceanic and Atmospheric Administration (NOAA). Secure Elements' vulnerability management product had been selected for enterprisewide deployment at NOAA, and the product was being subjected to routine security testing by the organization's incident response team when the flaws were discovered, he said.
He said that none of the vulnerabilities had posed a particularly severe threat to customers at any time. "The best practices of N-CIRT and US-CERT [are] they disclose all vulnerabilities that are discovered. They were following a fairly standard process" in disclosing the flaws, Armstrong said.
Secure Elements is the second security vendor to appear in the news over the past few days because of flaws in its products. Last week, industry leader Symantec Corp. confirmed a serious flaw in its antivirus products that was discovered by eEye Digital Security Inc. The flaw, which potentially allowed malicious attackers to write worms targeting users running the affected software, was patched by Symantec over the weekend.
In March, a faulty antivirus software update from McAfee Inc. wreaked havoc on users when it mistakenly identified hundreds of legitimate programs as a Windows virus, causing users to accidentally delete data from affected computers.