14 DAY TRIAL // In keeping with a recent trend of vulnerability disclosures affecting the websites of antivirus vendors, AVG Technologies has just joined the list with an active XSS flaw that can be used to insert content in a page on its website.
The cross site scripting flaw was discovered by a user going by the handle of "CrueLChiLd," and it was reported to the XSSed project on 2 March 2009, according to the entry in its archive. The interesting fact about this disclosure is that AVG has not addressed the bug until now, as reflected by the screenshot we have taken.
Such vulnerabilities are currently the most common on the Internet and generally result from poor programming of the pages. Weak validation of parameters can give attackers the ability to force potentially-dangerous behaviors through rather simple URL manipulation.
In order for such an attack to be successful, it is generally combined with social engineering techniques. This means that the more popular and trusted a website is, the more dangerous the XSS weaknesses affecting it are. For example, malware distributors go to great lengths to make their e-mail spam as believable as possible, employing different tactics of masquerading the links so that they appear to be pointing to legitimate websites.
In such cases, a compromised URL from a domain belonging to an antivirus vendor, of all things, who's domain name has a global traffic rank of 523 on Alexa, can significantly add to the success rate of their campaigns. In addition to injecting dangerous content into the affected page, the avg.com XSS can be used to prompt arbitrary alerts or reveal session cookies.
Recent similar weaknesses have been reported on the websites belonging to ESET, Avira, Kaspersky Labs, or Intel Security Center, by members of a group called ']['€AM€LiT€ (Team Elite). Another self-proclaimed ethical hacking outfit called HackersBlog has disclosed more serious SQL injection vulnerabilities affecting web pages controlled by Kaspersky, F-Secure, Bitdefender, and Symantec.
AVG Technologies provides various security solutions for both home and business customers. The company is best known for its popular AVG Anti-Virus Free Edition product, employed by users worldwide. The XSSed project maintains an archive of cross-site scripting vulnerabilities, which are reported to it by independent security researchers, penetration testers and hackers. The website offers the possibility of signing up to receive notifications in case such a flaw is discovered in a particular domain.
Note: We have notified AVG of this vulnerability and we are awaiting its response. We will return with more information as it becomes available.
