Don’t forget about Web 0.1-1.9

May 7, 2007
Everybody and their mother is going ga-ga over the inherent vulnerabilities of Web 2.0 - sites such as MySpace and YouTube - but when it comes to the insecurity of today's web, just about every website is susceptible to attack.

Take www.freewebcards.com. It's a cluttered and kinda ugly looking site that draws better comparisons to late-90s websites than the modern interactive internet. But sure enough, word reached us this weekend that the site is involuntarily hosting JavaScript malware exploiting a Microsoft Data Access Components vulnerability, patched last year.

But what made this threat so serious was its timing around the popular Mexican holiday of Cinco de Mayo, which, incidentally, was no coincidence.

As Roger Thompson, CTO and co-founder of Exploit Prevention Labs, pointed out Saturday on his blog, a Google search of "what is cinco de mayo?" turns up www.freewebcards.com on the second page of results.

While most end-users should be safe from the exploit considering the many months that have gone by since it was patched, corporations are potentially at risk because they have less of a tendency to automatically patch over worries the process may break home-grown applications, Thompson says.

The folks at freewebcards.com never got back to me for comment but they're said to be working on the problem. Apparently the hackers sent out spam greeting cards, said to be from the site, to get victims to visit and, hopefully, get infected.

The web is as dangerous as ever. Experts have estimated as many as 80 percent of sites are vulnerable.

Anyone can get nailed.

"I think it's the next battleground," Thompson told me today. "If you've got a firewall running, it keeps the bots and the worms out. But when you launch a browser, it creates an instant tunnel right through the firewall."

That's why we'll see more vendors producing safe scanning software and web vulnerability testing tools.

prestitial ad