Feeds

McAfee site crawling with scripting bugs say researchers

XSS marks the spot

Beginner's guide to SSL certificates

Flaws on McAfee's website leave it vulnerable to cross-site scripting and other attacks, security researchers warn.

YGN Ethical Hacker Group also discovered various lesser information disclosure bugs on the security firm's website, according to an advisory published on a full disclosure mailing list on Monday.

YGN said it published the details only after notifying McAfee privately of the problems back on 10 February.

Cross-site scripting (XSS) flaws create a means to present content from a third-party website in the context of a vulnerable site. The class of flaw, which is a perennial problem in website development, creates a possible mechanism to mount phishing attacks or other sorts of malfeasance.

In a statement, McAfee said no harm had come of the vulnerabilities, which it said it was in the process of fixing.

Early on Monday March 28, 2011, various online news outlets reported on vulnerabilities in McAfee Web sites. McAfee is aware of these vulnerabilities and we are working to fix them.

It is important to note that these vulnerabilities do not expose any of McAfee's customer, partner or corporate information. Additionally, we have not seen any malicious exploitation of the vulnerabilities.

McAfee along with other security vendors have had problems in this area in the past. For example, security enthusiasts at XSSed found cross-site scripting bugs on the websites of McAfee, Symantec and VeriSign back in 2008.

Programming errors that give rise to XSS vulnerabilities are nothing out of the ordinary, but the industry is entitled to hold McAfee to a higher standard than other organisations, especially given it markets its McAfee Secure service as a way for enterprises to identify problems on their websites. ®

Intelligent flash storage arrays

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.