Keeping the AJAX door closed

If your users are frequenting AJAX-powered sites, are they creating a new security risk? Sophos' Paul Ducklin offers his expert assessment of the risks and prevention tactics.

Q: My end-users are spending a lot of time on Web 2.0 sites that use a lot of AJAX and other new technologies. Does this open any new attack vectors into our organisation?

A: Yes. but not just "because it's Web 2.0." Very many sites these days rely on some sort of client-side scripting, usually JavaScript (the "J" in "AJAX" or VisualBasic Script), regardless of whether they see themselves as part of Web 2.0 or not. This means that the web browser has almost turned into an operating system + application stack of its own. Unsurprisingly, this means that cybercriminals are switching their malware distribution mechanisms from email to the web.

Recent Sophos stats show that over 70% of new web-borne malware is hosted on compromised sites, often inside businesses -- not on sites deliberately set up for criminal misuse. In other words, we, the Good Guys, are collectively providing more than two-thirds of the malware delivery ammo available to web-savvy cybercmininals. And Sophos turns up an average of about 5000 new URLs hosting malware (are you ready for this?) per _day_.

(Some days it's many more than that.)


  1. Web security begins at home. Make sure your own company's web presence is patched and safe against remote compromise, whether from without or within. An internal infection of the Psyme family of malware, for instance, can inject malicious code into thousands of HTML and PHP files on your servers in minutes. Keep that anti-virus and those OS/application patches up-to-date, on servers and wokstations.

  2. Consider going for a web filtering solution which is focused on security, not just staff productivity. Blocking outward access to disallowed porn and gambling sites is probably very important. But active malware filtering of all inbound data, even from apparently legitimate sites, is a must these days. To look for malicious scripts, iframes and the like in downloaded HTML pages, or to spot exploit shellcode in apparently-innocent pictures or cursor files, you probably need specialist help from a commercial product.


Read more on Data breach incident management and recovery