I hadn’t looked at the news feed from Information Week for a few days, so when I checked it today there was a really interesting story told by way of headlines:
Yahoo Mail Worm Harvesting Addresses: The “Yamanner” worm exploits a JavaScript vulnerability in Yahoo’s Web mail client. Users should watch out for messages with a “From” address of [email protected] and the subject line, “New Graphic Site.” Posted on: Mon, Jun 12 2006 11:41 AM
Yahoo Quashes Mail Bug: Yahoo says it has patched a bug that was letting attackers hijack systems through a flaw in the portal’s free Web-based e-mail service. Posted on: Tue, Jun 13 2006 1:23 PM
Yahoo Mail Worm May Be First Of Many As Ajax Proliferates: The Yamanner worm that hit Yahoo Mail shows how increasingly popular techniques like Ajax and Javascript that make Web-based software perform well also could make it vulnerable. Posted on: Tue, Jun 13 2006 4:00 PM
As alarming as this might sound, think about the timeline for a minute. Late Monday morning, the problem hits the news. Early Tuesday afternoon, the security hole is fixed; because there’s no software installed on any desktops, the fix is effectively distributed everywhere instantaneously. By late Tuesday afternoon, they’re already into the post-game analysis since there’s nothing else to talk about.
Quite different from applications that run on your desktop or your servers: this is the reality of web-based SaaS.