Updated 5:15 p.m. PDT with McAfee saying most of the vulnerabilities have been fixed.
Security researcher Mike Bailey released this screen shot showing that he gained access to McAfee Secure via a cross-site request forgery hole.
(Credit: Skeptikal.org)Security vulnerabilities on McAfee sites, including one designed to scan customers' sites for flaws, exposed certain customer accounts and could have been used for phishing attacks in which malware disguised as McAfee software could be distributed, security experts say.
McAfee said late on Tuesday that most of the vulnerabilities were fixed, except for one part of the Web site that was taken offline to be fixed.
The McAfee sites were found to be vulnerable to cross-site scripting (XSS) attacks and cross-site request forgery attacks that could lead to phishing attacks on customers who think they are visiting the security vendor's site, according to an article on ReadWriteWeb.
Ironically, one of the vulnerable sites was McAfee Secure, which scans customer sites to determine if they are vulnerable to such attacks. The problem would signal that either McAfee doesn't run McAfee Secure across all of its own sites or the product doesn't work well, the report said.
To fall victim to a cross-site request forgery attack on that site, targets would have to be logged into their McAfee accounts and browse to a malicious Web site that exploits the vulnerability, according to the Risky.biz site.
Such attacks on sites of antivirus vendors are particularly dangerous because they enable attackers to create fake versions of security products that install Trojans or other malware and customers will trust it, Lance James, co-founder of Secure Science Corporation, told ReadWriteWeb.
The hole on the McAfee Secure site would indicate that the company failed to comply with PCI requirements for Approved Scanning Vendors, didn't use a secure software development lifecycle in building the application, and neglected to do an in-depth penetration test of the site, security researcher Mike Bailey wrote on his Skeptikal.org blog on Monday.
McAfee spokesman Joris Evers said the site taken offline was the McAfee Knowledge Center, which is part of its customer support site that uses software from a third-party provider. The site had a cross-site scripting vulnerability, he said.
"These types of vulnerabilities are rarely exploited in the wild and thus aren't deemed to be severe," he said in an e-mail. None of the vulnerabilities exposed any McAfee corporate information and the company had not seen any malicious exploitation of the vulnerabilities, he added.
"McAfee has strict policies in place for its own Web sites and for services provided by third parties," Evers said. "We are investigating how these particular vulnerabilities were not identified in our screening process and will adjust our processes if necessary."
McAfee isn't the only security company to have security problems on its site. Last month, The Register reported on a cross-site scripting vulnerability on Symantec's site. And in February, a Romanian hacker site claimed to have used cross-site scripting and SQL injection attacks to breach the sites of F-Secure, Kaspersky, and BitDefender.
Google released a new version of its Chrome browser Thursday to fix a high-severity security problem.
The problem affects Google's mainstream stable version of Chrome and is fixed in the new version 1.0.154.59 (download). Google has built Chrome so it updates itself automatically with no user intervention, though the software must be restarted for the new version to run.
The security problem, reported April 8 by Roi Saltzman of the IBM Rational Application Security Research Group, allowed cross-site scripting attacks. Such methods can make a Web browser process unauthorized code such as JavaScript, enabling a variety of attacks, including impersonation or phishing.
Mark Larson, Google Chrome program manager, described the problem this way in a blog posting Thursday:
An error in handling URLs with a chromehtml: protocol could allow an attacker to run scripts of his choosing on any page or enumerate files on the local disk under certain conditions.
If a user has Google Chrome installed, visiting an attacker-controlled Web page in Internet Explorer could have caused Google Chrome to launch, open multiple tabs, and load scripts that run after navigating to a URL of the attacker's choice. Such an attack only works if Chrome is not already running.
Don't count Internet Explorer out just yet.
On Wednesday, Microsoft released the second public beta for Internet Explorer 8. If anything, this release brings IE up to par with alternative browsers such as Opera, Apple's Safari, and Mozilla's Firefox in terms of security and features. It also pushes Microsoft a little ahead of the competition.
The user interface hasn't changed much since Internet Explorer 8 Beta 1, except to add a Security pull-down menu between Page and Tools on the main toolbar. In addition to blocking phishing sites, IE 8 now highlights the main domain of any Web site you visit. Thus if you think you are on eBay's site and something other than ebay.com is highlighted, chances are you are on the wrong Web site.
IE 8 also contains a cross-site scripting filter, one of the first in a mainstream browser. Cross-site scripting allows an attacker to execute script on a user's browser without them knowing. When the IE 8 filter finds a Web page with a cross-site scripting request, it changes the content on the page with a notice. Users are not presented with an option; IE simply blocks the malicious script from executing and then displays the rest of the page.
In another feature, known as InPrivate, Microsoft allows the user to suspend caching functions while you surf. The scenarios for using InPrivate include when you're using someone else's computer, like for instance, when you need to buy a gift for a loved one without ruining the surprise, or when you're at an Internet kiosk and don't want the next person to know which Web site you visited. While you can currently clear the browser cache with a mouse click, it's an all-or-nothing action. InPrivate temporarily suspends the automatic caching functions, allowing you to keep the rest of your browsing history intact. Apple Safari has offered this feature for a while, but Mozilla Firefox does not.
IE 8 Beta 1 has already introduced several behind-the-scenes security changes. For example, ActiveX components will be installed per user, which eliminates the need for everyone to have administrator privileges. In addition, you must acknowledge or opt in for the component to run, eliminating drive-by downloads. Components will be per site and will only be available from the site of origin. Finally, site developers can request killbits from Microsoft which can be sent via Windows Update to terminate risky or outdated components.
Also, IE 8 Beta 1 included Microsoft's own brand of malware protection. Earlier this year, Opera added Haute Secure malware protection, and Mozilla enhanced its Google and StopBadware malware protection in Firefox 3.
See also:
Internet Explorer 8 Beta 2 screenshots
Review: Internet Explorer 8 beta 2
Daily Debrief video: The newest IE 8
- prev
- 1
- next
