Feeds

McAfee site crawling with scripting bugs say researchers

XSS marks the spot

Top three mobile application threats

Flaws on McAfee's website leave it vulnerable to cross-site scripting and other attacks, security researchers warn.

YGN Ethical Hacker Group also discovered various lesser information disclosure bugs on the security firm's website, according to an advisory published on a full disclosure mailing list on Monday.

YGN said it published the details only after notifying McAfee privately of the problems back on 10 February.

Cross-site scripting (XSS) flaws create a means to present content from a third-party website in the context of a vulnerable site. The class of flaw, which is a perennial problem in website development, creates a possible mechanism to mount phishing attacks or other sorts of malfeasance.

In a statement, McAfee said no harm had come of the vulnerabilities, which it said it was in the process of fixing.

Early on Monday March 28, 2011, various online news outlets reported on vulnerabilities in McAfee Web sites. McAfee is aware of these vulnerabilities and we are working to fix them.

It is important to note that these vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities.

McAfee along with other security vendors have had problems in this area in the past. For example, security enthusiasts at XSSed found cross-site scripting bugs on the websites of McAfee, Symantec and VeriSign back in 2008.

Programming errors that give rise to XSS vulnerabilities are nothing out of the ordinary, but the industry is entitled to hold McAfee to a higher standard than other organisations, especially given it markets its McAfee Secure service as a way for enterprises to identify problems on their websites. ®

Combat fraud and increase customer satisfaction

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.