Friday, February 02, 2007

Don't trust server-side security

This morning I got a heads up about a Websense alert about the Super Bowl XLI / Dolphin Stadium website. Apparently the popular website was siliently defaced to include a hidden snippet of JavaScript that exploits MS06-014 and MS07-004, loading the NsPack-packed Trojan keylogger/backdoor. Very bad for any unpatched IE browsers that hit the website.

We've all seen this kind of thing happens before, and I'm sure it'll happen again and again and again, etc. What got thinking was a piece of conventional wisdom we often hear, "Don't Trust Client-Side Security". Fair enough, but in this case the opposite is true. This was a popular and trusted website, not some hacker/warez/pr0n/serialz hang out spot. I think we need to start designing web browsers and safe-surfing habits around this concept:

Don't Trust Server-Side Security

No comments: