XSS flaws found in sites of multiple anti-virus firms
Security researchers have revealed that the websites of no less than six anti-virus firms are vulnerable to cross-site scripting flaws, of a type that might lend themselves to phishing attacks. Some of the firms involved have admitted problems, while others say the issues raised have either already been fixed or are erroneous. …
It seems every time I'm asked to "fix" an infected PC (Vista or XP) it usually has McAfee installed. Of course Comcast is "giving" it to all their high speed internet customers. I just tell the client that their software is worth just what they paid for it.
And the Symantec corporate AV that I use has decided that Reflexive Arcade games are all trojans and need to be quarantined. Ah well, back to the drawing boards...
Let's get the whole web on XHTML strict - no iFrames (huzzah).
Granted many payment system and 3D Secure integrations will break but what the hey, as far as I'm concerned frames of any stripe have always been a work of pure evil except possibly in closed systems (like CMS or VPN).
@Symantec
All bugs have been tested two days ago by one of softpedia editor and all worked well !
You can see all screens in their article :)
XSS is everywhere!
I had two XSS on the lovefilm website. Which they slightly patched
Filtering just the < character
But most websites with search functions. I find are vuln to XSS
Not particularly hard. Ohh hack the planet, where's me layer tool.
"Symantec takes the security of its website very seriously and can confirm that no company or customer information was exposed."
The fact that Symantec take security of anything "very seriously" just screams bullshit to me.
It is a browser vulnerability and not web server vulnerability that we see here.
yes, ok...if a website filters user input..etc., xss attacks are REDUCED, but will never go away
on the other hand, if you DISABLE javascript and iframes on your WEB BROWSER, then XSS, PHISHING attacks are not just reduced, but something you DO NOT HAVE TO WORRY ABOUT. As in, you won't be a victim of xss or phishing attacks.
In Summary, it is browser vulnerability and people seem to think that it is a web server vulnerability.
Dirty Half Dozen? What has this got to do with a PRI Banger team?
BitDefender is the best, they didn't exposed any customer data, and the software is great also. I have bitdefender internet security and it protects me 100% :)
Sign up, sign up for The Register's weekly IT security newsletter - click here
