Verisign and anti-virus vendors fix cross-site scripting holes
Verisign has closed several cross-site scripting (XSS) vulnerabilities on its web site. The five holes had been idenfitied by Dimitris Pagkalos in his XSSED blog. Pagkalos' site also lists eight XSS holes on the McAfee web site, seven of which have apparently been eliminated so far, and 17 XSS holes on Symantec's pages of which 10 have been attended to.
Pagkalos points out that McAfee's "Hacker Safe" certification has proved less trustworthy than expected from the perspective of XSS, although as late as May 1 a McAfee spokesperson told ZDNet "Currently, the presence of an XSS vulnerability does not cause a web site to fail HackerSafe certification," stating that McAfee considers XSS a lesser threat than other bugs such as SQL injection. However, the Verisign XSS holes cut to the very foundation of confidence in internet security. Verisign – as a root CA and the self-declared "trusted provider of Internet infrastructure services for the digital world" – is normally taken for granted by the public as secure and its web site is automatically trusted.