Six AV vendor websites open to XSS attacks
Wednesday, May 13, 2009
A hacker with the handle Methodman has posted proof of concept of cross-site scripting (XSS) exploits on the websites of six major anti-virus vendors, including some of the biggest names in the web security business.
Methodman, a member of a group called Team Elite, pointed out on that group's website that some of these companies have run into similar vulnerabilities before.
"We have found several bugs in the past few months, always on the same websites," Methodman wrote. "So now still vulnerable and people still under threat? no doubt!"
Security experts said these companies, who sell products to protect websites from the same type of attacks, should do a better job of fixing the holes - if no other reason than to protect their brands.
Many security vulnerabilities are introduced by software not doing proper input checking of online forms, which can be exploited through code injection or XSS.
In the case of one major security firm, security experts found an online form that allowed users to enter HTML characters such as quotation marks, less than and greater than symbols in fields expecting only numerical input.
Related News:
Conficker still a threat to web security - 3.18.2010
The Conficker worm was by far the most notorious piece of malware in 2009 for several reasons. Not only did it receive media attention and infect more computers than any other strain, according to Katonda, a business technology website, it reminded web security professionals of bygone days when major epidemics were the norm.
Network security update not responsible for crashes - 2.24.2010
Reports of the so-called "blue screen of death" following the installation of the latest Microsoft security update are the result of malware, not a defect in the update.
Botnets and Chuck Norris take aim at network security - 2.22.2010
Last week, word spread of the Kneber botnet compromising more than 2,000 computers worldwide. With the start of a new week comes more malware attacks plaguing the web community. The so-called "Chuck Norris" botnet is attacking routers and DSL modems by guessing commonly used passwords.
Web security company warns of scareware's risk - 2.19.2010
The rise in scareware attacks and cyber criminal behavior in general forced DynaSis, an IT services company, to issue a warning to its users about the threat of fake anti-virus software infecting their computers on Friday.
Age-old trick with brand-new target - 1.18.2010
Cyber criminals have turned to a scam from the early days of the internet to target the growing smartphone market: Trojan phone dialers.
|
