In an email to customers of its DeepSight threat management service, Symantec warned that its ThreatCon is at Level 2 as it tracks some malicious Web site activity. The heightened alert is also in response to Microsoft’s mega security update Tuesday.
Hours after raising the ThreatCon in response to Patch Tuesday, Symantec sent out another warning that a
group operating under the pseudonym “clpwn” has been publicizing high-profile XSS vulnerabilities on a variety of Web sites.
“The current proof -of -concept attacks involve embedding an IFRAME on the target site which contains a URL that points to a HTML page hosted in the clpwn.com domain,” Symantec said in its DeepSight alert.
One clpwn.com HTML page contains an embedded applet and a recently added shockwave-based port scanner that scans open ports on localhost, Symantec said, adding, “The port scanner appears to be based on some recently released research regarding port scanning with Active Script 3. Customers should be aware that this group has been observed modifying the behavior of the proof-of-concept HTML page over the past few days. In its current form the exploit should be considered malicious.”
Symantec advised customers to browse with caution and block access to the clpwn.com domain at network perimeters.