Major security sites hit by XSS bugs

The Web sites of three of the security industry's best-known companies include security flaws that could be used to launch scams against customers, according to a new report.

The report, from security watchdog site XSSed, verified 30 cross-site scripting (XSS) vulnerabilities across the sites of McAfee, Symantec and VeriSign. The flaws could be used to launch scams or implant malicious code on the systems of visiting users, according to XSSed.

Recent research has shown that attackers are increasingly - even predominantly - now using legitimate sites to host their malware, a tactic that makes the malware distribution sites more difficult to shut down.

XSSed's results show that even major security firms are not exempt from the problem, according to XSSed.

In January XSSed found that 60 Web sites that had received a "Hacker Safe" certification from McAfee's ScanAlert service were in fact vulnerable to XSS attacks.

McAfee and other major security firms have downplayed the seriousness of XSS flaws, compared for instance to flaws that allow an attacker direct access to customer data stored on a server.