Major security sites hit by XSS bugs

Security sites could be used to spread malware, finds report.

The Web sites of three of the security industry's best-known companies include security flaws that could be used to launch scams against customers, according to a new report.

The report, from security watchdog site XSSed, verified 30 cross-site scripting (XSS) vulnerabilities across the sites of McAfee, Symantec and VeriSign. The flaws could be used to launch scams or implant malicious code on the systems of visiting users, according to XSSed.

Recent research has shown that attackers are increasingly - even predominantly - now using legitimate sites to host their malware, a tactic that makes the malware distribution sites more difficult to shut down.

XSSed's results show that even major security firms are not exempt from the problem, according to XSSed.

In January XSSed found that 60 Web sites that had received a "Hacker Safe" certification from McAfee's ScanAlert service were in fact vulnerable to XSS attacks.

McAfee and other major security firms have downplayed the seriousness of XSS flaws, compared for instance to flaws that allow an attacker direct access to customer data stored on a server.

In recent months the real-world exploitation of XSS flaws has boomed, exploiting major Web sites such as MySpace, Paypal and a major Italian bank.

Last week ScanSafe reported that 68 percent of all malware it blocked in May was found on legitimate sites that had been hacked, more than quadruple the level of a year earlier.

Such flaws can be used to steal user cookies, to steal website login credentials and to exploit users' trust of a site in other ways, and in theory can be shut down quickly once the owner of the site is made aware of the problem.

However, the techniques used by hackers are highly automated, allowing them to "colonize" large numbers of vulnerable sites at once, ScanSafe noted. By contrast, the fixes are not necessarily so easy, researchers have noted.

In a research note in May, F-Secure noted that one legitimate site had been repeatedly hacked and used to spread malicious code, and each time it needed to be contacted to fix the problem.

"The site cannot simply be pulled offline without collateral damage to the legitimate business. So the website's administrator must be contacted to repair the damage," said F-Secure's Sean Rowe in the research note.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma

Techworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?