[ news_security_news ]
Yamanner Leads New Threat
Doug Caverly
Staff Writer
2006-06-19
 Insider Reports RSS Feed
Last week, a new worm known as "Yamanner" spread through Yahoo's e-mail system. The problem was solved in short order and did relatively little damage while it still existed. What's more troubling is how the worm spread-when users opened just the e-mail itself, not any attachments, it sprang into action-and the strong possibility that more could follow suit.
Yamanner worked by exploiting a vulnerability in the JavaScript that permits embedded scripts in HTML to run in users' browsers. David Wagner, an assistant professor of computer science at the University of California at Berkeley, believed it was only a matter of time before the JavaScript in Ajax was attacked. "This kind of worm shouldn't be a surprise to anyone," he said.
According to the Networking Pipeline, Wagner was also of the opinion "we'll see more such worms and viruses as long as Web sites and companies implement Ajax applications without understanding their vulnerabilities."
Any blame should not be laid at the feet of Ajax, however. "JavaScript was dangerous before Ajax came around," said Billy Hoffman, the lead research and development researcher at SPI Dynamics.
Wagner doesn't believe the Yahoo e-mail service is at fault, either. "The problem isn't that Yahoo is incompetent. The problem is that filtering JavaScript to make it safe is very, very hard," he said.
Groups such as the OpenAJAX Alliance are working on decreasing the risk of Ajax adoption. But sites with Ajax applications need to learn about the technology's weaknesses, and how to defend them.
Add to | DiggThis | Yahoo! My Web
Technorati: Yamanner
About the Author:
Doug is a staff writer for SecurityProNews, InternetFinancialNews, SearchNewz, and WebProNews.
More news_security_news Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
