Major security sites hit by XSS bugs

Security sites could be used to spread malware, finds report.

The Web sites of three of the security industry's best-known companies include security flaws that could be used to launch scams against customers, according to a new report.

The report, from security watchdog site XSSed, verified 30 cross-site scripting (XSS) vulnerabilities across the sites of McAfee, Symantec and VeriSign. The flaws could be used to launch scams or implant malicious code on the systems of visiting users, according to XSSed.

Recent research has shown that attackers are increasingly - even predominantly - now using legitimate sites to host their malware, a tactic that makes the malware distribution sites more difficult to shut down.

XSSed's results show that even major security firms are not exempt from the problem, according to XSSed.

In January XSSed found that 60 Web sites that had received a "Hacker Safe" certification from McAfee's ScanAlert service were in fact vulnerable to XSS attacks.

McAfee and other major security firms have downplayed the seriousness of XSS flaws, compared for instance to flaws that allow an attacker direct access to customer data stored on a server.

In recent months the real-world exploitation of XSS flaws has boomed, exploiting major Web sites such as MySpace, Paypal and a major Italian bank.

Last week ScanSafe reported that 68 percent of all malware it blocked in May was found on legitimate sites that had been hacked, more than quadruple the level of a year earlier.

Such flaws can be used to steal user cookies, to steal website login credentials and to exploit users' trust of a site in other ways, and in theory can be shut down quickly once the owner of the site is made aware of the problem.

However, the techniques used by hackers are highly automated, allowing them to "colonize" large numbers of vulnerable sites at once, ScanSafe noted. By contrast, the fixes are not necessarily so easy, researchers have noted.

In a research note in May, F-Secure noted that one legitimate site had been repeatedly hacked and used to spread malicious code, and each time it needed to be contacted to fix the problem.

"The site cannot simply be pulled offline without collateral damage to the legitimate business. So the website's administrator must be contacted to repair the damage," said F-Secure's Sean Rowe in the research note.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma

Techworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?