Sometimes, users get tricked into visiting malicious website. Upon visiting, vulnerabilities within users' browsers or operating system are exploited. But you don't always have to be tricked. You don't even have to be stupid. You just have to be unlucky.
Major sites fall victim to Web hijack; check yours
To quote:
Security company Finjan Wednesday reported it has found more than 1,000 sites infected by an attack tool kit called Asprox, which exploits discovered flaws in a vulnerable site's programming to add hidden attack code. The attack code in turn searches for flaws on a browser's PC, and if any such holes are found, it will download malware onto the computer...
Finjan writes that this attack kit goes after flaws in QuickTime and the AOL SuperBuddy, as well as Windows.
For instance, if you had a hankering for Snapple and visited Snapple's website, you're done. Game over. Your machine is owned, hijacked by an attacker to do with as he/she pleases. If you visited any of the other 1,000 or so "government and top business websites" that had been hacked and infected, you would also be done. You don't have to be stupid, gullible, or unaware to be exploited. You just have to use the Internet.
Recommendation from the article?
"...for your own computer's safety, it's critical to keep all your software -- not just the browsers and the OS -- up to date with patches."
And that has worked really well so far (excuse my sarcasm). And what of the toolkits that use exploits we don't have patches for?
Better recommendation:
Hold software manufacturers to account. Software manufacturers do not pay the social costs for defects in their software which they fail to detect. You do. You must adjust your behavior, software manufacturers do not. Stop the madness. Does it really make sense to suggest tens of millions of websites and users are better suited to fix what software manufacturers shouldn't have made defective in the first place?
Comments