Where The Web Is Weak

Tolstoy wrote that happy families are all alike, while every unhappy family is unhappy in its own way. Something like the opposite might be said for Web sites. Many of the Web's millions of insecure pages can be hacked with just one or two tricks. But patching the bugs in each of those vulnerable sites requires a unique solution.

Case in point: Last month, a single attack ripped through the Web, infecting more than half a million sites including those of the Department of Homeland Security, the United Nations and the British Government. Using Google searches, the attackers' software--written partly in Chinese characters--identified sites vulnerable to a hacking technique called SQL injection and infected them en masse with malware designed to steal the bank codes of the sites' visitors.

In late April, the sites hosting that malware were identified by security researchers who in turn notified the Chinese Internet service provider and had them disconnected from the Internet. But the job of cleaning up the Web's mess, says Jeremiah Grossman, the chief technology officer of White Hat Security, is far from over.

In fact, Grossman says that the majority of those sites remain vulnerable to the same attack. The typical SQL injection vulnerability, he says, takes a site's owner more than four months to locate and fix. That's because, unlike exploits that affect a typical software program, Web vulnerabilities can't be secured with an update downloaded from a vendor--every site has its own bug to excise.