The firewall component in Microsoft"s Windows OneCare security bundle has holes, experts have warned.
The security software, available in a public beta version, by default allows applications that use the Java Virtual Machine or have a digital signature to connect to the Internet. Like any blanket security-bypass rule, these default settings are a bad idea, said Mark Curphey, vice president at vulnerability management specialist Foundstone, a part of McAfee.
"Any firewall, any security device should have a default deny," Curphey said in an interview Tuesday. "Any door should always be closed." Curphey discovered the issue when running software on his wife"s computer, on which he had installed OneCare. He informed Foundstone security consultant Roger Grimes, who subsequently blogged about it on the InfoWorld Web site. Grimes also blasted the default bypass settings.