Site Network: Beskerming.com | Skiifwrald.com | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at Sûnnet Beskerming.

Username: | Password: Contact us to request an account

Security Irony from Microsoft and Symantec

Security is a very difficult thing to get right, whether it is a company that has committed itself to overcoming historical security flaws and implementing a secure development process, such as Microsoft, or a company that exists to deliver Information Security services and products to governments, businesses, and consumers, such as Symantec.

One of Microsoft's most recent vulnerabilities that has been disclosed is a flaw in their XSS protection built into Internet Explorer 8. This component, which is designed to re-encode websites while rendering them, in order to nullify any embedded XSS, apparently contains a vulnerability that can actually end up being used to introduce an XSS attack to a site that otherwise would not be vulnerable (by virtue of the fact that it modifies the rendering of the page as it loads). The exact details of the vulnerability have not been disclosed, but the timing and apparent source (Google) of the news is interesting, given Microsoft's recent discovery of a vulnerability in a Google product. Given that Microsoft were apparently notified of the vulnerability some time ago, it does seem a little bit of tit-for-tat rather than responsible vulnerability handling from both parties.

In Symantec's case, a site dedicated to supporting PC Doctor for Japanese and South Korean clients was found to have a SQL Injection vulnerability, that allowed the disclosure of sensitive client data and product registration details. It isn't the first time that the Romanian hacker Unu has found vulnerabilities with Symantec's online offerings, with a similar flaw found earlier this year. While Symantec played down the severity of that particular vulnerability, it seems that this time they have admitted that this flaw is severe.

26 November 2009

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.