Websites Associated with McAfee Open to XSS Attacks

Methodman, a white-hat hacker and member of Team Elite the programming outfit, has posted proof-of-concept exploit codes on the Internet against websites associated with an international IT security company McAfee. Methodman state that these websites contain cross-site scripting (XSS) security flaws that could enable injection of malicious IFrame and redirection to rogue destinations.

The hacker, in addition to the proof-of-concept, has also posted the flaws' screenshots after finding them on kc.mcafee.com, a website that a business partner of McAfee administers.

The researcher state that hackers favor exploiting XSS vulnerabilities by thrusting concealed IFrames into a web page. Subsequently, the IFrames could be used to install arbitrary software, like malware or exploits, from remote servers. Meanwhile, according to the researcher, the particular XSS flaws found on the McAfee sites are not permanent. Even then it is possible to craft and spam distorted links via malware-distribution schemes through their combination with other tactics that could make the links appear genuine and trick users at large.

Yet another McAfee website that has been found vulnerable to such an IFrame insertion is mcafeerebates.com. However, the site's vulnerabilities could also be abused and visitors redirected to an URL the hacker chooses alternatively the same flaws be exploited to display JavaScript warnings.

Meanwhile, the study shows that the XSS flaws on McAfee websites is quite similar to the late 'Mikeey' virus on Twitter since the XSS problem is an outcome of poor filtering. While one may excuse Twitter for its incorrect foundation at the very start, the same is not possible in the case of McAfee, which has developed its whole trade by using its vast expertise and knowledge of IT security, the security researchers stated.

The researchers also stated that McAfee was the most recent antivirus vendor whose websites were vulnerable to such XSS attacks after other vendors like Kaspersky, Symantec, ESET, F-Secure, BitDefender, AVG and Avira.

Commenting on the vulnerabilities detected on McAfee websites, the researchers said they could harm the company's reputation since it has made business worth millions of dollars from its security software.

Related article: Websites – The Latest Weapon in The Hands of Phishers

» SPAMfighter News - 5/9/2009