Booby-trapped web pages are growing at an alarming rate with unsuspecting firms acting for nurseries for botnet farmers, according to a new study. Security watchers at Sophos are discovering 6,000 new infected webpages every day, the equivalent of one every 14 seconds. Four in five (83 per cent) of these webpages actually belong …
Internet Explorer? Again?
With the politicians trying to criminalise "hacking tools", should Internet Explorer still be legal?
Ahhh, you got the 2008 Security Report then?
Interesting read, innit?
too quick to blame IE?
i think you're missing the point here if you're going to jump on the bandwagon, and try to blame internet explorer.
if your client doesn't have the IE iFrame vulnerability, or is not vulnerable to a JS exploit, or some ActiveX bug (there's one every couple of months, seems like), it matters not what the server is doing. if the client is not exploitable, it can't be exploited.
how is this not obvious?
bandwagon has nothing to do with it.
why is it that someone always jumps up to defend IE? it's a commercial product, they have paid marketing drones to handle PR. more importantly, who benefits from such spirited (if not always coherent) defense? and if the party that benefits is Microsoft, one has to wonder whether at least some of the defenders are astroturfing.
No point missed jrb, it doesn't matter at all how the zombie sites are getting infected, NOT THE TINIEST LITTLE BIT when it comes to resolving the effect on the masses pseudo-innocently surfing the web.
No matter what, a properly secured browser will not infect the host accessing a webserver. At worst a fault in the server side will just prevent the website from operating properly, which we can say is a fault in it's security but the drive by download menace is only a menace when the host browser allows it.
Remember, when surfing the web you run software that downloads code. The code could be anything at all, and the software you are running has to deal with it. No amount of trying to prevent random code from flowing could ever work, it has to be the client side that limits what could happen.
Browser doesn't matter if...
You're not smart enough to protect yourself.
Saying that the problem lies with web servers and that the solution starts there is like saying there's a problem with theft in high density urban areas and the police should do more to protect the people at large.
If you're just surfing, why would you want your browser wide open to all those attack vectors?
Won't affect me
As owner of a web site, I am glad to see that my complete lack of java, ActiveX modules and Apache anything in my site code preserves the security of all users who get to my pages - even if they are sufficiently misled to use a prime malware vector such as IE (any flavor).
Heck, I don't even set cookies on my site ! It's pure HTML, all the way.
Of course, I don't attempt to sell anything either, so it's easier to be clean.
As for my own security, I am confident that my browser will not foist a download upon me without a warning, and that I can actually make an intelligent evaluation before clicking on something.
You don't put "Apache anything" in your site code (or 'markup' as it's known if it's "pure HTML") but then most people don't because Apache is a webserver and not a content enhancing browser extention like Java or ActiveX.
Chances are that your website is hosted and served by an Apache webserver, it's by far the most common web server out there.
If the web server that hosts your site is compromised there is little you can do to prevent your site being used to distribute malware even if you know what you are doing and especially if that server is owned and managed by someone else.
Unless I missed the point somewhere then based on your post I wouldn't be too confident about being safe from malware if I were you.
Apache web servers hosting malware
Yes, Sophos's research found that 48.7% of the compromised websites were running Apache. The next closest was IIS 6 which was used on 40.6% of the websites hosting malicious code. There is a danger that people may think that just by avoiding Microsoft software they're immune from attack - which is clearly nonsense.
The full report is available from http://www.sophos.com/securityreport2008 if anyone is interested. You have to fill in a form to get at the PDF with the meat of the report, but you can always say you're Donald Duck if you're paranoid we're going to do something ghastly with your details...
Graham Cluley, Senior technology consultant, Sophos
How goofy would that be?
@ Graham Cluley
what if one actually IS Donald Duck (and paranoid)? perception is reality, you know...
any idea yet what the vector is? would having a squid proxy on, say, OpenBSD, in front of your Apache box help? what if it's configured with an ACL? SELinux? whitelist only? what if your site is strictly flat HTML, are you immune? is the Pope Catholic? ...just checking if you're paying attention.
thanks for reading, and any answers you can provide.
- 'Windows 9' LEAK: Microsoft's playing catchup with Linux
- Infosec geniuses hack a Canon PRINTER and install DOOM
- Boffins say they've got Lithium batteries the wrong way around
- Game Theory Half a BILLION in the making: Bungie's Destiny reviewed
- Review A SCORCHIO fatboy SSD: Samsung SSD850 PRO 3D V-NAND