By Dan Goodin in San Francisco
15th April 2009
Symantec has been outed for hosting gaping security holes on its website
that could allow miscreants to remotely execute malicious code on the
computers of people who visit it.
The XSS, or cross-site scripting, bugs allow attackers to steal the web
cookies Symantec sets on visitors' hard drives. Such cookies are
frequently used to prove a visitor has already entered a valid password,
so the ability to lift the file could be a non-trivial lapse of
Other exploits showed it was possible to inject images from third-party
websites such as imageshack.us. They were documented by a hacking
collective that calls itself t3am3lite. Less-charitable hackers could
exploits unpatched vulnerabilities or carries out other malicious acts.
It's the latest example of a large company or organization that should
know better succumbing to garden-variety web bugs that put their users
at risk. Along with SQL injections and CSRFs, or cross-site request
forgeries, XSS attacks leave end-users open to malware and phishing
attacks while visiting trusted websites.
Best Selling Security Books and More!