Prepare yourself for "time bomb" exploits that attack web-based systems at a pre-determined time.

A recent whitepaper, Second-order Code Injection Attacks (http://www.nextgenss.com/papers/SecondOrderCodeInjection.pdf), by UK security consultancy NGS Software (NGS) explains how new techniques for attacking web-based applications alter the security landscape. Gunter Ollmann, professional services director at NGS, and author of the paper, explains: "Many forms of code injection targeted at web-based applications (for instance cross-site scripting and SQL injection) rely upon the instantaneous execution of the embedded code to carry out the attack. [But] in some cases it may be possible for an attacker to inject their malicious code into a data storage area that may be executed at a later date or time".

These "second-order code injection attack" involve injecting malicious code into applications where it is later retrieved, rendered and executed by the victim. Targeted systems could be internal application - not just the web-based application - creating a higher risk than classical code injection attacks, according to NGS' David Litchfield. "Malicious code could be injected at any time and not "activated" until some later period - ideal for professional criminals," he added.

More about the new type of attack and how it can be combated can be found in NGS' white paper here (http://www.nextgenss.com/papers/SecondOrderCodeInjection.pdf). NGS discovered the flaw which was exploited by the infamous Slammer worm and is highly regarded in the field of vulnerability research. ®

Related stories

Critical Win2K flaw yields multiple attack vectors (http://www.theregister.co.uk/2003/03/26/critical_win2k_flaw_yields_multiple/)
Oracle's first monthly patch batch fails to placate critics (http://www.theregister.co.uk/2004/09/02/oracle_patch_tsunami/)
Meet the future of Windows security exploits (http://www.theregister.co.uk/2001/11/28/meet_the_future_of_windows/)