Ajax will create a new generation of dangerous viruses?

About analytics warnings: Yamanner worm attacked the Yahoo Mail system just recently as a prelude to the new Ajax-based worm generation.

Although Yammanner was quickly stopped, the whole world realized how great risks people would face if there were no strict controls for Web application development.

Fatal flaw

To be able to upload photos from email to the mail server, Yahoo Mail relies on a few JavaScript functions. The Ajax tool is used extensively by this service to promote mail user interaction with the server system.

But Yamanner exploited the flaw in JavaScript, replacing legitimate JavaScript commands (used to upload images) with their own JavaScript statements. Consequently, the computer will be infected immediately when the email is read without any other user intervention (such as clicking on the link or opening the attachment).

JavaScript is a key part of Ajax - the toolkit being used is increasingly popular within Web applications. Yahoo itself also uses Ajax within Yahoo Calendar, Yahoo Sports, Yahoo Photos, Flickr and Yahoo Mail.

" Yamanner's appearance is not surprising, as long as websites and businesses are aggressively deploying Ajax applications without understanding their weaknesses ," said University of California assistant professor David Wagner. .

Without these serious, integrated security features, Ajax-enabled Web applications will open a wide range of doors for hackers to invade. In Yamanner's case, the worm can send requests from the victim computer to the Yahoo Mail server, collecting all the names in the mailbox's contacts. Then it compiles an email to all these addresses as a new type of self-replication.

This is the most dangerous point of it, because users see the sender's address will no doubt but click on. " No attachments are needed, no links or icons, no files, they've been" stuck. "And then it's the names on their contact list . just like that, it's born with. dizzying speed , "Wagner said.

The assassin hid his face

Yahoo Mail appears on IE, but the browser is designed to run any JavaScript code they find inside an HTML page or email. When the recipient opened the mail, there was no sign of informing them that they were infected.

It all happened silently behind the chicken wings. The browser silently executes without checking what the function is running, and Yamanner, of course, doesn't really notice its action on the computer screen. Except for one sign: the computer suddenly slowed down.

In addition, Yamanner also has the pain to send all contact information it collects about a website that has not been identified yet. In this way, the hacker will set up a list of emails to tens of thousands of names to sell to the spammer.

Why does one of the world's largest email service providers like Yahoo let such a hole exist in its system?

" It is not that Yahoo is in charge, but because JavaScript filtering, ensuring it is absolutely safe is a very, very difficult thing ," Wagner said.

Hard to take precautions?

Defensive against false JavaScript behaviors has become even more difficult, as mature hackers can easily find the "entrance" to this new form of attack.

" There is no need for you to be brilliant. It is easy to get holes in JavaScript, just try a few times deep like Yamanner, " said technology director Gary McGraw of Citigal.

Once they find this vulnerability, hackers will be willing to share them, as well as "exploration" methods for their communities. In the case of Yahoo, the vulnerability was fortunate to be blocked before the hackers jumped into exploitation. But in the future, is anyone sure this luck will be repeated?

Remember that many current services use Ajax, such as Google Maps.

Thien Y