Last week, a security researcher published details of a hole in Sun Microsystems' browser plug-in for running Java applets downloaded from the Internet. The week also saw a banner-ad attack that exploited an unpatched flaw in Microsoft's Internet Explorer browser software.
The two major vulnerabilities have security experts jittery, because the technologies they affect are widely used -- a situation that heightens the security threat. Popular use of a single technology -- or, borrowing from the world of ecology, a monoculture -- carries the risk that a flaw could lead to a single devastating attack, security experts said.
"When you have 70 or 80 percent of the Internet running the same software or service, then it only takes a single shot to do incredible damage," said Marcus Sachs, director of the Internet Storm Center, which tracks network threats for the SANS Institute, a security training company.
Security experts have found similarities in the way a disease can devastate crops and the way a virus and other onslaughts can attack Internet infrastructure. Despite the obvious differences between the two fields, some principles in agriculture can be applied to technology. Just as biologists advise farmers to diversify their plantings, computer researchers believe that diversifying the software components of the Internet, or at least encouraging more competition among developers of the components, could lead to a more robust system.
More targets, higher risk
The flaw in Sun's Java plug-in highlights the dangers. The vulnerability, found by Finnish security researcher Jouko Pynnonen in April, was patched last month by Sun. However, its details were not made public until last Tuesday. The flaw helps bypass protections that make sure applets, or small Web programs, run safely on a user's computer.
It's a multistep process to exploit the hole: Attackers could release a Web-enabled virus, which would then send victims to a compromised Web site, which would then infect their PCs using the Java flaw.
The plug-in vulnerability raises the stakes, because it opens the possibility of infecting any operating system -- Microsoft Windows, Linux and Apple Computer's Mac OS X -- on which Sun's Java component can run.
 |
In the past, computer hardware architecture and operating systems have acted as a barrier to threats. Like a fish out of water, a software program cannot live outside its digital element. That inability has tended to block multiplatform attacks. However, the Java virtual machine -- the basis of Sun's Java technology -- abstracts underlying hardware and software. Java is all about running programs across platforms, and Sun's mantra -- "Write once, run anywhere" -- equally applies to malicious computer programs.
The security researcher who found the flaw believes that the vulnerability could lead to a virus that infects Linux machines, Windows computers and Mac OS X systems. However, he has not tested for the issue on Apple's operating system, and the company could not be reached for comment.
"It could be easily used for spreading viruses or other malware," Pynnonen said in an e-mail. "The exploit itself can't be easily embedded in e-mail, because Java applets contained in e-mail aren't normally started automatically. However, an e-mail message could contain a link to a Web page which has the exploit."
13%
1%
Security Experts are not catching on fast enough. I predicted in September 2004 to Fran Foo, that javascript in cookies used by ad tracking sites would be hacked after executable zip files for phishing purposes via trojans with keyloggers - any standard is open because it affects a large group of people.
Start testing the cookie blocking aspects of your browser in the privacy settings - watch in disbelief as web sites actually change settings for you without warning - generally lower less secure settings. Try blocking third party cookies (ad serving sites) and watch the web page start to fall apart - you dont get the info unless you are willing to be tracked in many cases. And if your Anti-Spyware starts auto-blocking cookies with malicous intent for you, a secure session log in to your account may also be prevented - the results are amusing at best.
Other sites eg. www.seek.com.au and many banking sites require turning pop-up blockers off to access job adds or internet banking screens.
We may as well return our secrets to the cookie jar for safe keeping.