Malware attacks against search giants Yahoo and Google this past week show online outlaws are working overtime to exploit any security hole they can find in Web applications. As Web-based services grow increasingly popular, industry experts say users should brace for more of these threats.
Also in recent days, Google Inc. has tried to fight off malware targeting its Google Page Creator Web site hosting service as well as its Orkut social networking service. The attacks illustrate a growing trend where the digital underground has shifted its attention away from assaults against network perimeters and operating systems in favor of those exploiting application flaws.
Peter Firstbrook, an analyst with Stamford, Conn.-based Gartner Inc., said that while Microsoft has developed a "very good" patching mechanism for its programs, most application providers, in contrast, have not. That being the case, he said, these recent Web-based application attacks could be the mere tip of the iceberg.
"The [malware authors'] focus has been on Microsoft, but now we have to look at all these applications where the patching track record isn't as good," Firstbrook said.
While that may be the case for other application providers, Yahoo spokeswoman Kelley Podboy said the Yamanner experience shows that her company does have a good handle on the threat. She said that upon discovery of the worm, Yahoo was able to protect all its users within a day.
Podboy added that the incident affected a "very small fraction" of Yahoo users. "We have taken steps to resolve the issue and protect our users from further attacks of this worm. The solution has been automatically distributed to all Yahoo Mail customers and requires no additional action on the part of the user."
Google did not respond to an interview request regarding the recent malware threats against its programs.
CSOs are worried
Doug Goodall, vice president of global security solutions for Getronics NV, a provider of workspace management IT services based in Amsterdam with U.S. offices in Tewksbury, Mass., said the Yahoo and Google attacks in particular show that the bad guys are getting far more sophisticated and that their assaults are far more targeted.
"It used to be that we had these big worms that were designed to hit whatever they could hit," Goodall said. "Now we see this very focused application targeting, like what we're seeing against Web mail applications. It's just amazing how accurate these guys are getting."
Getronics runs the International Information Integrity Institute (I-4), a consortium of about 75 multinational organizations in which CSOs meet behind closed doors several times a year to trade notes on their biggest challenges. By meeting in secret, CSOs are comfortable speaking candidly about their pain points. Goodall said those CSOs are increasing concerned about the Web application threats.
"At one of our I-4 forums, people talked about how they're putting a lot more of their focus on patching," he said. "But they all acknowledged that flaws in applications are a lot harder to deal with. They've gotten good at patching the operating systems, but you have so many legacy applications and new applications, it's a lot for them to get their arms around."
He said the bad guys know this, which is why they are increasingly seeing application flaws as a goldmine waiting to be plundered.
A challenge to corporate computing policies
Dan Blum, an analyst with Midvale, Utah-based Burton Group, said the growing Web application threat also poses a challenge to the Internet-browsing policies of many companies.
"Businesses have a permissive policy toward outbound browsing," Blum said. "It's like using the phone for personal calls." However, he added, Web-based mail services and other hosted applications have become another vector through which malware can enter a company.
Theoretically, Blum said, companies could take a hard line and restrict much of this activity, but there's a big downside to that.
"Users would end up using their company email to do these things and could expose company information that way," Blum said. "I think it's probably better to keep letting employees use Web mail, but educating them on things they should beware of." He said end-users should be taught to use the Firefox Web browser and to avoid giving out sensitive information.
Firstbrook recommended that companies monitor their threat environments and make use of automatic defenses like antivirus and proactive tools like host-based intrusion defense systems (IDS). "Shield your infrastructure so you can get the patches out," he said.
No place for FUD
While the growing threat against Web-based applications is cause for concern, people shouldn't be alarmed or surprised, said Shane Coursen, senior technical consultant for Russian antivirus firm Kaspersky Lab.
"I don't think we should make a bigger deal out of this than it's worth," he said. "It's perfectly natural and normal to see malware writers taking advantage of Web applications." He added that the ubiquitous nature of Web-based applications make them the perfect platform to spread malware.
In spite of that, Goodall said companies like Yahoo and Google have a big advantage Microsoft didn't have when it began to face a steady stream of attacks.
"They've grown up in a period where the whole industry has been focused on security," he said. "They didn't start with this big legacy infrastructure. Much of what they've deployed has been in the last five years, in an environment with more security awareness." But if these companies aren't careful, he said, they could end up wearing as big a bull's-eye as Microsoft has in recent years.
"They're growing so fast, light years faster compared to Microsoft's growth in the 1980s," Goodall said. "When you add new services at their speed, it opens the door for a lot of chaos."
This article originally appeared on SearchSecurity.com.