Attention Symantec: There's a bug crawling on your website
XSS strikes again
Symantec has been outed for hosting gaping security holes on its website that could allow miscreants to remotely execute malicious code on the computers of people who visit it.
The XSS, or cross-site scripting, bugs allow attackers to steal the web cookies Symantec sets on visitors' hard drives. Such cookies are frequently used to prove a visitor has already entered a valid password, so the ability to lift the file could be a non-trivial lapse of Symantec's security.
It's the latest example of a large company or organization that should know better succumbing to garden-variety web bugs that put their users at risk. Along with SQL injections and CSRFs, or cross-site request forgeries, XSS attacks leave end-users open to malware and phishing attacks while visiting trusted websites.
Other sites that have suffered from them include anti-virus providers Kaspersky and BitDefender, financial services American Express and PayPal (repeatedly), and large government agencies including the Department of Homeland Security.
This cookie brought to you by XSS
The bugs can jeopardize a site's good standing with the PCI, or payment card industry, or possibly other regulatory frameworks.
Symantec officials have been notified of the bugs and are working to eradicate them, but at time of publication, the holes were still wide open. You can see more screen shots here. ®
Hi guys, that "exploit" was fixed yesterday (within minutes of when it was reported).
If you're still seeing the error, you've forgotten to authenticate to the site and are seeing cached versions of the error that are, unfortunately, cached by our content delivery network.
Some of us have to support Symantec Products for 1000's of users because management can't see how shoddy their software is due to the cheapness of the licensing renewals .....
Paris: Because I like to think that she's free of bugs ;)
"can jeopardize a site's good standing"
Yeah, sure. I'll believe that the day it actually happens. In the meantime, I trust that absolutely nothing will impede on Symantec's "good" name.
The last time I looked at their products was somewhere around 1998. It's been bollocks ever since.