http://www.theregister.co.uk/2009/04/15/symantec_xss_bugs/ By Dan Goodin in San Francisco The Register 15th April 2009 Symantec has been outed for hosting gaping security holes on its website that could allow miscreants to remotely execute malicious code on the computers of people who visit it. The XSS, or cross-site scripting, bugs allow attackers to steal the web cookies Symantec sets on visitors' hard drives. Such cookies are frequently used to prove a visitor has already entered a valid password, so the ability to lift the file could be a non-trivial lapse of Symantec's security. Other exploits showed it was possible to inject images from third-party websites such as imageshack.us. They were documented by a hacking collective that calls itself t3am3lite. Less-charitable hackers could exploit the hole to inject javascript or other types of code that exploits unpatched vulnerabilities or carries out other malicious acts. It's the latest example of a large company or organization that should know better succumbing to garden-variety web bugs that put their users at risk. Along with SQL injections and CSRFs, or cross-site request forgeries, XSS attacks leave end-users open to malware and phishing attacks while visiting trusted websites. [...] _______________________________________________ Best Selling Security Books and More! http://www.shopinfosecnews.org/Received on Wed Apr 15 2009 - 22:09:15 PDT
This archive was generated by hypermail 2.2.0 : Wed Apr 15 2009 - 22:21:58 PDT