Feeds

XSS flaws found in sites of multiple anti-virus firms

Dirty half-dozen

SANS - Survey on application security programs

Security researchers have revealed that the websites of no less than six anti-virus firms are vulnerable to cross-site scripting flaws, of a type that might lend themselves to phishing attacks.

Some of the firms involved have admitted problems, while others say the issues raised have either already been fixed or are erroneous.

Nemesis, a gang of programmers and security bods that work mostly in chat room software development, reckons the sites of Symantec, Kaspersky, Eset (Nod32), AVG, F-secure and Trend Micro are all vulnerable, one way or another. The group has posted screen shots to back up its claims in an advisory here.

El Reg contacted the six firms involved on Monday evening, some of who have already got back to us. We'll add statements from the others as and when they become available.

  • Trend Micro said the flaw highlighted by Nemesis is on a part of its site which is outsourced. The firm added that the flaw was in the process of getting fixed.
  • Eset said the site with the alleged flaw, eset.co.il, was run by its Israeli distributor. "The iFrame injection has been removed from eset.co.il and today (Tuesday) the site will be deeply scanned to fix all other possible vulnerabilities," it said in a statement.
  • Symantec said the reported vulnerability on its site was discovered and fixed last month. "Symantec was notified of a reported security vulnerability on a webpage within Symantec's website back in April," a spokeswoman explained. "Upon notification of the potential vulnerability, Symantec immediately conducted comprehensive testing and fixed the vulnerability. Symantec takes the security of its website very seriously and can confirm that no company or customer information was exposed."
  • AVG said there wasn't any problem with its site. “We’ve investigated the issue as raised by The Register, and we can report that there is no vulnerability on the AVG website. We’re always looking at potential security issues – and extra ways to keep our customers’ data secure. As an internet security company, we often find that we come under attack from the bad guys."

Broadly speaking the cross-site scripting flaws detailed by the Nemesis make it possible to present rogue iFrames from third-party servers as if they came from the sites of security vendors a surfer might be visiting. This type of vulnerability therefore lends itself to attacks that rely on impersonation, such as phishing. XSS flaws, more generally, also pose cookie stealing and other risks.

This class of vulnerability has popped up on the website of security firms over recent months. Most notable Romanian hacking group HackersBlog exposed XSS flaws on the websites of Kaspersky, BitDefender, F-Secure and Symantec in a two month campaign before the group got bored and disbanded in late March 2009.

Other incidents of similar problems on the websites of McAfee and Symantec have cropped up since to the point where its tempting to think that the problem has become endemic.

In other security-related news, AVG released a fix for a vulnerability involving how its software processes Zip files. An advisory on the flaw, discovered by security researcher Thierry Zoller, can be found here. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.