Circuit City support site hacked - infecting PCs
First HP, now this.
Circuit City's support web site, forum.circuitcity.com, was compromised by a person or persons unknown, possibly via an unpatched security flaw in Invision Power Forum, and malicious code was added that infected any visitor to the support site who had not patched their systems against an Internet Explorer vulnerability patched back in January 2006.
The salient points of this sorry tale - looking from a perspective of prevention - are:
1) The security flaw that may have been used to achieve the compromise was patched by Invision Power on 16 May. The Circuit City site was hacked on or around 13 May - three days BEFORE the patch was released. The latest exploit against Invision publicised at Gulftech seems to have been on or about 5 May. The time between an exploit being published, and being taken advantage of, is getting tighter and tighter.
Invision says they were not able to reproduce the reported exploit - here's hoping they have fixed the correct problem... they also said the exploit "has not had full public disclosure". Well, the exposure it had was enough for it to be taken advantage of. This makes me ponder the ongoing argument about "responsible disclosure". Should Gulftech have publicly announced the exploit?
2) The vulnerability in Internet Explorer was patched in *January*. It is now *May*. Why are those computers unpatched, especially considering the fact that this particular vulnerability, the WMF vulnerability, was very high profile.
We *must* patch our systems. Even if we only go to 'safe' sites, there is no guarantee that nothing bad will happen, as has happened to the users of the Circuit City forums.
Turn on Automatic Updates. Make sure you you Microsoft Update, not just Windows Update, and stay informed. Visit www.microsoft.com/security. Keep informed.