Friday, March 16, 2007

Cisco XSS

From Cisco's Security Responses blog:

A cross-site scripting (XSS) vulnerability in the online help system distributed with several Cisco products has been independently reported to Cisco by Erwin Paternotte from Fox-IT and by Cassio Goldschmidt. The vulnerability would allow an attacker to execute arbitrary scripting code in a user's web browser if the attacker is successful in enticing the user to follow a specially crafted, malicious URL.


We recommend that you avoid clicking links in e-mails and instead navigate manually to the referred website. I know this is a hardship and an annoyance, but threat trends lately lean heavily towards a combination of social engineering and malicious URLs. It's very possible for a malicious person to send you an e-mail purporting to be from Cisco or Amazon or Paypal with the sole purpose of getting you to click a link that will allow the attacker to steal your personal data or install malicious software on your computer.

No comments: