Structural vulnerabilities, and the importance of being prepared

Interesting story in the media late last week, with several articles detailing a newly discovered vulnerability created by the origin policies for third-party Flash objects embedded on sites. This vulnerability is especially serious, as it's structural in nature -- meaning that it stems from the way this third-party content is actually embedded in sites, rather than from a software hole that can be patched. There is no simple solution for closing this vulnerability.

As the web grows increasingly interdependent -- with web companies and site owners sourcing in more and more content and applications from each other and from users -- these structural vulnerabilities will only continue to grow in variety and number. At present, they include sourcing in third-party content or applications; enabling users to add content like comments, links, photos, and other files; and employing syndicated ad networks, among other things. These vulnerabilities are already relatively widespread: For example, 66 percent of the top 500 sites in the US run ads, 47 percent of the top 100 accept user-generated content, and 75 percent of the top 100 newspapers in the US enable user comments.

These vulnerabilities open sites up to a number of potential exploits, not least of which is being turned into a delivery vehicle for malware, wherein a site inadvertently infects some or all of its visitors with malicious software. This can in turn trigger losses in traffic, reputation, and revenue, as visitors discover the infections and as the site is evaluated by the search engines, browsers, and AV providers that blacklist dangerous sites. And since these vulnerabilities are structural, there's often no way to "close" them. In other words, there's nothing site owners can do to guarantee that they won't be exploited, other than abandon things like third-party content and ad networks altogether (which, for most sites, isn't much of an option).

So what can site owners who rely on elements of the interdependent web do to reduce the likelihood that their site will be compromised? At Dasient, we believe that a fast, scalable scanning and diagnostic service is an increasingly crucial part of any defense strategy. In the last few months alone, we've seen a significant increase in the number of sites that are being compromised and turned into delivery vehicles for malware. Now more than ever, site owners need to be able to quickly locate and address any bad code that finds its way onto their sites.

To learn more about how Dasient's Web Anti-Malware service might be able to help you, check out this page.