Web services under attacks!
"If you can send e-mails to those addresses and make it look like it's one of their friends, the chances they're going to do what you want them to do is better," Nick Ianelli, an Internet security analyst with the federally funded CERT Coordination Center said.
Also spurring the attacks is the growing power and flexibility of Web programming languages that allow Web browsers to look and act more like word processors, spreadsheets and other computer programs. The recent Yahoo worm targeted faulty scripts based on a technology called Ajax, or Asynchronous JavaScript and XML.
The worm didn't require a user to click on an attachment, making it more virulent than many. An undisclosed number of users got infected simply by opening an e-mail from another infected user. The worm then sent itself to others in a person's address book and transmitted those addresses to a remote server, possibly for junk e-mail, security researchers said.
The ability of Yahoo, Google and PayPal to quickly plug this month's holes highlights one of the differences between combatting worms that target Web sites and those that go after flaws running on an individual's PC.
PayPal was able to roll out a fix almost immediately by altering several lines of code on its server, company spokeswoman Amanda Pires said. That blocked the ability to exploit a flaw that let cyber criminals intercept users who typed in a genuine PayPal Web address, security researchers say.
By contrast, companies such as Microsoft that plug holes on individual PCs have to get millions of users to download and install a patch, a process that's more time consuming.
Over time, computer security experts said, Web site designers will get better at anticipating the ways their code can be exploited, but by then criminals are likely to move on to newer targets.
"The trend is definitely for blended attacks and leveraging different kinds of vulnerabilities to take the next step," said Rick Wesson, chief executive of Support Intelligence, which tracks online abuse for corporate customers. "The arms race is going to continue."
