[ISN] Attention Symantec: there's a bug crawling on your website

From: InfoSec News <alerts_at_private>
Date: Thu, 16 Apr 2009 00:09:15 -0500 (CDT)
http://www.theregister.co.uk/2009/04/15/symantec_xss_bugs/

By Dan Goodin in San Francisco
The Register
15th April 2009

Symantec has been outed for hosting gaping security holes on its website 
that could allow miscreants to remotely execute malicious code on the 
computers of people who visit it.

The XSS, or cross-site scripting, bugs allow attackers to steal the web 
cookies Symantec sets on visitors' hard drives. Such cookies are 
frequently used to prove a visitor has already entered a valid password, 
so the ability to lift the file could be a non-trivial lapse of 
Symantec's security.

Other exploits showed it was possible to inject images from third-party 
websites such as imageshack.us. They were documented by a hacking 
collective that calls itself t3am3lite. Less-charitable hackers could 
exploit the hole to inject javascript or other types of code that 
exploits unpatched vulnerabilities or carries out other malicious acts.

It's the latest example of a large company or organization that should 
know better succumbing to garden-variety web bugs that put their users 
at risk. Along with SQL injections and CSRFs, or cross-site request 
forgeries, XSS attacks leave end-users open to malware and phishing 
attacks while visiting trusted websites.

[...]


_______________________________________________      
Best Selling Security Books and More!
http://www.shopinfosecnews.org/
Received on Wed Apr 15 2009 - 22:09:15 PDT

This archive was generated by hypermail 2.2.0 : Wed Apr 15 2009 - 22:21:58 PDT