Advertising banners commonly offer “something special” to customers, usually in the form of lower prices or better service. But over the weekend, some popular Web sites delivered something completely unexpected with their advertising banners: a piece of malware.
The attack on a load balancing server at Germanys Falk eSolutions caused the Bofra/IFrame exploit, a variant of MyDoom, to be delivered along with the ad banners of as many as 150 of the companys clients. These include A&E Networks, IDG and The Register, where the hack was apparently first discovered.
The hack took advantage of a recently discovered weakness in Internet Explorer that, alas, had yet to be patched. Windows XP SP2 (Service Pack 2) users were immune, which is great for them but bad news for everyone else.
The damage from this hack is probably more psychological than practical, pointing out as it does that no part of the public Internet—no matter how supposedly well-managed or protected—can really be considered “safe.”
It reminds us that even if we take proper steps to protect our own systems, there is no guarantee that lapses wont occur someplace else. And for some users, who cannot yet install SP2 due to application conflicts, the lack of a patch meant they had no protection at all.
Its important to remember that the majority of business users are still using (unprotected) Windows 2000 and will be even if Microsoft goes through with plans to end support with the new year. This latest hack is another good reason why Microsoft should have ported the SP2 security fixes back to the software most people actually use.
Forcing people to upgrade to a new operating system to receive security fixes that could be implemented in earlier versions strikes more than a few people as sleazy. This may not be what Microsoft was attempting, but the customer frustration exists nevertheless.
Still, this episode raises a much larger question: Can the free Internet survive?
Next Page: Looking past rosy assurances.
Rosy Assurances
Despite Bill Gates rosy assurances than the security problem is about “50 percent solved,” does anybody really believe it? My perception is that the more people use the Internet, the more they fear it.
Sure, they like what the Internet does for them—such as shopping and Google—but they dont really care how those services are delivered. And they see Internet threats, whatever the source, as increasingly serious. At some point, the Internet just wont be worth the hassle and worry.
Will our grandchildren come to see the era of an open Internet as a relic of a more naive time? My bet is that biometrics and other authentication technology will “soon” do away with anonymous access to any Internet resource. Every packet on the Internet will be directly traceable back to a machine and a human thats responsible for it.
If that “soon” doesnt come soon enough, and the Internets other security gaps cannot be filled, its possible that the very concept of a public Internet will be replaced by closed, private services.
In this scenario, the Internet reverts to something like its closed ARPANET predecessor: Consumers go back to closed but interconnected networks such as AOL and CompuServe, and businesses subscribe to a network of their own.
Novell and AT&T once proposed the creation of their own private Internet to offer customers better performance and greater security. Such a network could run its own protocols and wouldnt be open to individuals, thus reducing risk to network customers.
In my dark thoughts, I wonder if Microsoft, IBM and other big players wouldnt be better off if the current Internet failed and was replaced by a new, more private one. But for that to happen would be a terrible blow to the free, global flow of information and commerce.
Im not saying Microsoft, IBM, et al actually want this to happen. The risk to the existing order would be too great and the potential for disaster too large. Yet if free commerce and information cannot be built atop a safe and secure foundation, arent we fooling ourselves that they really exist at all?
Things are going to change. Im just not sure if it will be for the better.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.