McAfee Sites Vulnerable To XSS Attack

An anonymous reader notes that this weekend, ReadWriteWeb discovered a security hole on several McAfee sites, which lets any attacker piggyback on the company's reputation and brand in order to distribute malware, Trojans, or anything else. The submitter adds an ironic coda to McAfee's epic fail: "In the 'how to HTML Injection' section, the author provided the four steps needed to execute a simple, no-brainer injection, but unfortunately, exposed a hole in NY Times website when they republished the article. While the author changed the offending text to an image, the Times is still using the original story which redirects directly to ReadWriteWeb [via XSS]." From the RWW post: "During tests this weekend, we discovered the company who claims to 'keep you safe from identity theft, credit card fraud...' has several cross-site scripting vulnerabilities and provides the bad guys with a brilliant — albeit ironic — launching pad from which to unleash their attacks."

Hmm.

[Phroggy]

Yikes. I wonder if any of my code has that vulnerability. I don't think so. I try to make sure I run all user-submitted text through something to escape those kinds of characters before sending it back to the browser as HTML, but it's possible I could have missed something somewhere. The only time I don't do this is if the user-submitted input is first passed through an input validator that should reject anything containing dangerous characters (for example, a valid e-mail address cannot contain HTML tags, so if I reject all but a valid e-mail address, then I don't need to sanitize the e-mail address). But how can I be sure I haven't missed anything somewhere?

The only way I could be sure is if I did a thorough audit of all my web site code, and I really don't want to go through that hassle. It's probably fine. I've never had an XSS attack used successfully against any site I've built. Certainly not one that was using SSL. So let's just assume that this trend will continue!

Right?

Re:Hmm.

[growse]

I find it easiest to not validate anything on input, because I don't know what my output is necessarily going to be - could be HTML, could be PDF (for example). If I am outputting to non-HTML I don't want to wade through HTML-encoded soup to get something sensible back out.

If I'm outputting to web, I then always validate / encode *all* content, usually using something like the Microsoft AntiXSS library. This stops user-inputted markup from being rendered, but it also stops markup that's been maliciously inserted into your database from being remembered. Remember the SQL injection attack that appended a javascript snippet to every field it could find? It was looking to do an XSS attack.

If you need to chuck out user-generated markup, make sure you contstruct your whitelist and ruleset very carefully.

Sure, but the camel was already broken...

[wild_quinine]

I found an old USB stick the other day with McAfee's superdat (definitions and engine update) file circa 2006. That's only two and a half years ago. It was a real wake-up call. The superdat was just over 6mb in size.

These days you can't fit the application and latest superdat onto a 128mb stick - and when I tell you that the application in only 20mb in size, you'll realise what a change this is. Their updates been spiralling out of control for two years. Now, some may argue that there's a lot more malware out there now, and I won't disagree. But I will say this: McAfee hasn't been getting significantly better as far as I can tell, and none of the other major players seem to have experienced this definitions file explosion, ergo McAfee is doing something wrong.

Furthermore, their version 8 enterprise has one of the worst failures I've ever seen for a virus scanner, which is hilariously related to the above. The application no longer knows how to handle its own virus defintions catalog: I'm not sure whether that's the sheer size, or the number of entries, but either way the update fails because of it. But get this: it says that the update has succeeded!

Can you imagine a more epic fail for a virus scanner than saying it's up to date, but being wrong? Neither could I, till I read the news today.

So long McAfee, I hope you enjoyed your time with the big players.

Re:Antivirus on Windows

[daveime]

It's a web page exploit, wtf does it have to do with Windows ?

Redirects work in all browsers, and while I can't speak for Firefox, at least MSIE 8 will warn you of a possible cross domain phishing attempt.

McAfee also make products for Linux and Apple you know.

Just another anti-ms troll who can't wait to make his mark on /.

Winslows is teh suxxors !!!

Re:Sure, but the camel was already broken...

[drinkypoo]

Furthermore, their version 8 enterprise has one of the worst failures I've ever seen for a virus scanner, which is hilariously related to the above. The application no longer knows how to handle its own virus defintions catalog: I'm not sure whether that's the sheer size, or the number of entries, but either way the update fails because of it. But get this: it says that the update has succeeded!

They were just trying to catch up to Norton/Symantec Antivirus, which has had this feature since version 7 (I ran into it ENDLESSLY at Yuba College.) The fix was to reinstall windows (ever tried manually removing norton? heh heh) and run virus def updates manually. The problem remained at least until version 9, which is what they were running when I quit.