March 10th, 2009
International Kaspersky sites susceptible to SQL injection attacks
According to a security group going under the name of TeamElite, the international sites of Kaspersky Iran (kasperskylabs.ir), Taiwan (web.kaspersky.com.tw) and South Korea (kasperskymall.co.kr) are susceptible to SQL injection attacks, allowing the injection of malicious iFrames and potentially assisting malicious attackers into obtaining sensitive data from the web sites in question.
The group’s analysis comes shortly after the series of posts by a Romanian group of serial pen-testers of security vendors, which discovered similar flaws in the web sites of F-Secure, Symantec, BitDiffender, and Kaspersky USA.
Let’s start from the basics. PR contingency planning in the spirit of total denial is perhaps the worst thing a vendor can do in this case. Despite the fact that these are reseller web sites and are managed by local companies, they still have the license to harness the power of the brand of an information security company, and therefore not demonstrating basic security awareness by taking care of trivial web application vulnerabilities on these sites, can undermine the brand’s integrity and what it stands for at the first place.
From a pragmatic perspective, the licensing company can either exercise pen-testing authority over the locally managed web sites, keep an eye on them through community service warning systems, or introduce obligatory pen-testing before a license is obtained.
Both groups have been notifying the affected vendors according to their posts.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
