Jump to content


Web Site Design, Usability, SEO & Marketing Discussion and Support

Sign in to follow this  

Application Exploits 3-fold Impact

Recommended Posts

There is a recurring three-fold problem with web software vulnerability that is admirably exemplified in the current osCommerce store management application exploit mess.


Background Note: this exploit is primarily either an iframe link or a straight link infection. Back on 24-July-2011 when first announced there were ~94,000 infected pages, a week later ~5-million infected pages, and yesterday ~8.5 million.


So, what are the three problem components?

1. update failure.

It appears that most, perhaps all, of the exploit is targeting weakness already patched.


2. communication failure.

It appears that the the app vendor has not bothered to discuss the precise findings with the firm that discovered/publicised it. The security firm is claiming three failure vectors, one quite recent, osCommerce adamant only one and that long patched. The app vendor - in media I've read - sounds wholly defensive pointing everywhere elsewhere rather than getting on top of the situation and sound bites.


3. public relations failure.

As the infection numbers increase the publicity has several impacts on 'innocent' parties:

* sites with up-to-date patched software (and other defences):

---become disillusioned/dissatisfied with application support and look at alternatives.

---become tarred with the same broad brush - running an insecure/cracked/dangerous shopping experience.


* those users exposed to attacks once they learn how/where are less likely:

---to ever again trust/recommend that site.

---to trust the application or sites that utilise it.


Unfortunately, this example experience is more the norm than an exception when web apps get abused. And that raises very serious questions for webdevs:

* do you have a formal defined always followed process for managing software updates?


*do you have an eye out for software vulnerabilities, i.e. Google Alerts?

---and have you thought about what to do if there is a vulnerability that is not yet patched?

---and have you 'walked through' application usage looking for input weaknesses - and considered backstop possibilities?

---and have/do you keep abreast of browser vulnerabilities and whether/how your site might be impacted and how you might mitigate them?


As the webdev threshold has continually lessened with increasingly easier to use software the points of vulnerability have increased. I suggest that part of a good business plan is continual education in the products you use, especially those that visitors interact with; don't just be a driver, learn how to change a tire, the oil, etc. And have a trusted mechanic on speed dial.

Share this post

Link to post
Share on other sites

I try to limit my software exposure to products that are updated regularly.


Where there is an auto update I use it. If I know I'm going to be working wirelessly, for Microsoft I sometimes check manually instead, daily, because some of their updates are huge and require a reboot. The occasional inconvenience of an update messing up a setting is tiddlywinks compared to taking chances on an infection.


I have email subscriptions to a couple sites that only post about software vulnerabilities, mostly from open source products. I found the two I watch now by googling for [wordpress plugin]+vulnerability. At first blush it seems like open source software is a breeding ground for plagues, but after watching these lists for a while I feel safe in saying unmaintained software is where the devil lives, including user installations that allow infection to spread.


Over and over again I'll see a warning about a vulnerability, then check my software and see that I've already updated past where that vulnerability applies to me. Self-policing is pretty good in active communities.


That doesn't necessarily apply to user supplied add-ons, plugins and themes. They can be anything from beautifully functional and scrupulously cared-for to... well... some unfortunate forgotten beast from the Island of Doctor Doctor Moreau. If it's not listed in official repositories, eg the WordPress.org themes and plugins section, it may have next to no exposure to review or critical comments by the community.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this