That’s for real people. Don’t try this at home! Leave it to the professionals.

The attack surface of WEB technologies has dramatically increased over the past couple of years. It is not only about WEB Applications. Today we explore client side technologies which also play big part in the Web security game.

This footage, although a little bit dramatized, is not that far from the truth. If you go on-line with unprotected browser it is almost guaranteed that you will get hacked in a matter of hours. Exploit code for various IE and FF bugs is easily accessible on the net today. With a few modifications, this code can reach a user base greater then any worm has ever achieved. That’s mainly because Web technologies are highly accessible. Think about it: RSS feeds, splogging, AJAX worms, dark SEO…

Let’s image for a second what the impact would be if the Sammy worm was shipped with the infamous IE VML exploit for example. Here is what Sammy is saying about his worm:

I have hit 1,000,000+ users. In less than 20 hours, I’ve hit over 1/35th of all myspace users. Every request is from a unique, living, and logged in user. I refresh once more and now see nothing but a message that my profile is down for maintenance. I messed up… I’ll never get caught. I’m Popular.

1,000,000+ users in less then 20 hours. That’s something. Even if only 1% of them are visiting MySpace with vulnerable IE, we are already talking about 10,000 users. That’s about the average botnet size, as reported here:

In its latest annual Internet threat report, Cupertino, Calif.-based security giant Symantec Corp. reported that the average botnet size was around 10,500 machines. Washingtonpost

We all know that the number of vulnerable IE browsers visiting MySpace is much higher.

Where does this leaves us? Well, security professionals are still fighting on the front line. Sure, we disclose vulnerabilities that can be used to do bad things, but this is done on purpose and in fact mostly done to fix the bloody thing and make it more secure.