Attacks Grow with Web App

Tuesday, August 16, 2011 @ 01:08 PM gHale

In the online world, a few short weeks could mean the difference between a simple attack and a viral epidemic.

That is what seems to be happening with an attack targeting sites running unpatched versions of the osCommerce web application. After three weeks when a security firm warned the application was an unwitting accomplice to install malware on computers of unsuspecting users, it when from 91,000 web pages affected to well over 8 million, according to Armorize researchers.

Malware Feeds Off Slow Patching
Hershey Hacked; Recipe Altered
Moore’s Law-like: Malware’s Booming
Report: Malware, Targeted Attacks on Rise

Armorize said attackers are exploiting three separate vulnerabilities in the open source store-management application, including one discovered last month. Harold Ponce de Leon, the lead developer of osCommerce, said there is only one vulnerability, but he admitted no one on his team has spoken to anyone at Armorize to reconcile the difference of opinion.

“It is devastating not only to see the damage the attack has inflicted to online stores, but also to customers who are getting affected with old IE6 browser exploits,” he said.

He said a fix has been available since November’s release of osCommerce Online Merchant v2.3. The steadily climbing number of infected webpages suggests that a large percentage of osCommerce websites just are not installing it. And that means people visiting those ecommerce websites are open to attacks.

Leave a Reply

You must be logged in to post a comment.