In early April, Symantec published its semi-annual horror story, Internet Security Threat Report, Trends for July–December 07, Volume XII. (Read the shorter executive version if you are pressed for time.)

This report confirms and expands on what the Google researchers have discovered – that major threats have shifted from broad-based network attacks to web-based attacks targeting individual users who are visiting websites. The attacks are central to a large underground economy that shows no signs of a recession-led slowdown. The perpetrators use very sophisticated techniques to harvest data that will allow them to create or intercept financial transactions and amass huge “revenues.”

Just as Google reported, Symantec has discovered a spike in site-specific vulnerabilities that lead to the compromise of unsuspecting and seemingly harmless websites. Symantec documented 11,253 site-specific cross-site scripting vulnerabilities in the last six months of 2007. According to the report, “this is considerably higher than the 2,134 traditional vulnerabilities documented by Symantec during this period. These vulnerabilities are a concern because they allow attackers to compromise specific websites, which they can then use to launch subsequent attacks against users. This has shown to be an effective strategy for launching multistage attacks and exploiting client-side vulnerabilities.”

The report further state, “Symantec has also observed that attackers are particularly targeting sites that are likely to be trusted by end users, such as social networking sites. This increases the likelihood that the attacks will be successful because a user is more likely to allow a trusted site to execute code on his or her computer, or to open a file downloaded from a trusted site. Attackers targeting trusted sites can also steal user credentials or launch mass attacks because they may allow attacks to propagate quickly through a victim's social network. This is one reason for the shift to site-specific vulnerabilities.”

Symantec says that browser plug-in vulnerabilities also are on the rise. This comes at a time when Web 2.0 applications are popularizing the use of browser plug-ins. Great, just when we're getting to the point of far more useful and responsive web applications, we now need to worry about how they might be compromised.

Symantec's report provides very detailed information about the vulnerabilities and the sources of the threats. If security is your responsibility (and it should be everyone's responsibility), then here's a little light reading for your spare time.

Full report

Executive report

Click to read the article this is in response to.