Scob was the attack that exploited a bug in Internet Explorer to exploit an option in the IIS database server to cause the web server to append a JavaScript trojan loader to image files to retrieve a keystroke monitor which mailed its results to the cracker.
There have been reams of reports from security companies about how scob worked, and more about who was behind it,
how connections to the addresses it used to report were blocked, etc. It’s good to see so many people and companies on the ball, busily producing forensics.
But what does scob mean?
Well, for one thing, even image files are no longer safe from exploits. I suppose it’s good that people realize that anything can be broken.
For another, because there was no patch for IE at the time, a few more people will take software diversity seriously and use other browsers. This could even lead to competion among browsers on security; for example, it seems that Mozilla is offering $500 per critical bug. Both diversity and any resulting security competition would be good.
However, even patching bugs in individual facilities won’t solve the class of attacks that scob represents, because scob exploited a combination of bugs or features in several different facilities. Some of them weren’t even bugs for that facility; it was only when they were used in combination that they turned into bugs. Checking for such combinations is far more complex than debugging a single facility. Software diversity will help somewhat with this, because for example a browser and a database server from different vendors are less likely to have the same types of design flaws and coding styles. But diversity, like traditional security solutions such as patches, firewalls, intrusion detection etc., none of which stopped scob, has its limits.
And attacks like scob will happen again. Phishing in general is on the rise, and scob is a kind of phishing that doesn’t even require the user to consciously interact. So such an attack can be an automated money-making machine.
What to do? Certainly we need to do all the usual things: apply patches, run firewalls, install intrusion detection, educate users, system administrators, and software vendors. Plus some new things, such as software diversity, and competition on security. This is all due diligence and best practices.
But many users and companies won’t do these things, because people tend to pay attention to security only when they suffer direct damage, and most people didn’t this time. So no matter how diligent you and your company are, the next attacks may still affect you because someone else was not so diligent.
You can have all the non-flammable insulation and sprinkler systems you like, and your office can still burn down in a wildfire, or your telephone or the power can go out due to a tornado or a system overload, all of which are beyond you control.
The time to buy insurance is before the building burns down.
-jsq