Web 2.0, AJAX Bring New Era of Threats

By Matt Hines  |  Posted 06-16-2006
Malware attacks created using emerging Web development tools such as AJAX are expected to begin showing up more frequently, as writers of malicious code match the skills of their legitimate counterparts.

With the arrival of the Yamanner virus targeting Yahoo Messenger on June 13, industry analysts and security software vendors say the era of what might loosely be called Web 2.0 threats has arrived.

AJAX (Asynchronous JavaScript and XML), a technique that combines elements of the JavaScript and XML programming languages to allow Web site developers to speed the interactivity of their sites, can just as easily be used to help amplify attacks, experts agree.

The Yamanner worm uses AJAX to amplify and cloak delivery of its payload as it attempts to exploit a vulnerability in Yahoo Messenger's JavaScript code. The JavaScript issue is a common cross-site scripting vulnerability, but the use of the Web 2.0 technology by Yahoo allows the worm to spread without user intervention, as AJAX is used to steal IM contact information and forward the threat to other accounts.

While there have been few high-profile manifestations of such threats, including Yamanner and a similar attack that shut down News Corp.'s MySpace social networking site in October 2005, it appears inevitable that more AJAX worms and other variations on the theme will appear.

"There's a developer education issue that needs to be figured out before we get too far into the use of AJAX, to make it safer for everyone," said Andrew Jaquith, an analyst with Yankee Group, in Boston. "It's early in the game now, but these are likely to be the avenues that malware writers will be looking at and the most popular AJAX implementations will be the first targets."

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub.

Interestingly, some of the earliest adopters of AJAX technology have been companies that have traditionally avoided high-profile attacks, such as Apple and Google, along with more frequent malware targets such as Microsoft and Yahoo. It will be incumbent on those firms to ensure that their applications have been thoroughly tested against Web 2.0 threats, Jaquith said.

Read the full story on eWEEK.com: Web 2.0, AJAX Bring New Era of Threats