Phoenix, AZ - Security firm Ballixtup LLC announced today a proof of concept exploit which could be used on popular Web 2.0 sites. The exploit shows how malformed mouseOver code can be used to extract Social Security numbers, credit card numbers and other sensitive data.
John Deloney, a spokesperson for Ballixtup, warned "Until a patch is rolled out to fix this vulnerability, we recommend you change your Internet settings to turn off Web 2.0 code."
In some cases it may even be necessary to roll back to Web 1.0, but only in extreme cases. Although this could affect any operating system with a browser, it will have the greatest impact on Microsoft Windows because of its Web 2.0 integration into the operating system. MS has announced plans to start beta testing their new software which will remove malicious websites. It will be called Windows Malicious Web Site Removal Tool.
Tammy Shroyer from Microsoft said, "With our Malicious Web Site Removal Tool, Internet Explorer users will be able to protect themselves and others, by completely removing malicious Web 2.0 site from the Internet."
The founder of Digg, a popular Web 2.0 site, Kevin Rose said, "You won't be seeing this kind of exploit on a site like Digg to extract personal information from our users. We plan on using the code to change everyone's Social Security number into the AACS hex code."
It is expected that a patch to Web 2.01 will fix this exploit, but is not expected until mid-July.
|
