Viruses/Worms News

Six AV vendor websites open to XSS attacks

Wednesday, May 13, 2009

A hacker with the handle Methodman has posted proof of concept of cross-site scripting (XSS) exploits on the websites of six major anti-virus vendors, including some of the biggest names in the web security business.

Methodman, a member of a group called Team Elite, pointed out on that group's website that some of these companies have run into similar vulnerabilities before.

"We have found several bugs in the past few months, always on the same websites," Methodman wrote. "So now still vulnerable and people still under threat? no doubt!"

Security experts said these companies, who sell products to protect websites from the same type of attacks, should do a better job of fixing the holes - if no other reason than to protect their brands.

Many security vulnerabilities are introduced by software not doing proper input checking of online forms, which can be exploited through code injection or XSS.

In the case of one major security firm, security experts found an online form that allowed users to enter HTML characters such as quotation marks, less than and greater than symbols in fields expecting only numerical input.
ADNFCR-1765-ID-19168095-ADNFCR

Related News:

Researchers: Malware attackers reloading for Windows 7 assaults - 11.20.2009
A report issued yesterday by computer security firm Symantec says that hackers are undoubtedly reworking their malicious software to target Windows 7 as more users switch to the latest version of Microsoft's flagship OS.

Want to secure your iPhone against intruders? There's an app for that - 11.20.2009
Cisco Systems today released a free iPhone app that will allow users to receive security updates and the latest news on web threats, as well as aggregating additional security related content for iPhone users.

Microsoft says 64-bit versions of Windows are harder to infect - 11.19.2009
Members of Microsoft's security team write that 64-bit editions of Windows are much less susceptible to malware attacks, but outside experts caution that 64-bit malware could be the next big thing in cyber crime.

Google coming down hard on malicious advertisers - 11.18.2009
Search giant Google has said that it will lay down the law where scam artists and malvertisers are concerned: Permanent bans will be the result of any fraudulent activity on the company's AdWords service.

If at first you don't succeed: Most malware protection fails first round of certification testing - 11.17.2009
A study performed by security testing and research firm ICSA Labs says that almost four out of five computer security products fail their first certification tests and need to be retooled for a second and sometimes a third attempt.
View Related Resources
Or
Watch an Online Demo
Or
Have us call you now