QUOTE(Joel Leyden @ Sun 19th November 2006, 2:01pm)
"None of this embedded-into-images stuff...!"
Well, I hate to say it, but I TOLD YOU SO months ago!
Wikipedia is a cesspool which has harmed so many good, innocent people.
Whether it is through images or other means, there are enough people out there with a strong and powerful vengeance to bring Wikipedia down. Just a matter of time,,,,tick, tick, tick ;>
Well,
yeah. "None of this embedded-into-images stuff" is indeed what I wrote back then, and it continues to hold true now... But okay, Joel, fine by me - if it helps any, you were right and I was wrong!
Still, I want to make sure everyone is aware of the difference between the two modes of attack. Think about it - virus-laden images could be posted to (or linked/displayed by) almost any publicly-editable website in the world,
including this one. It's a particularly nasty exploit, because you could post an image tag for an offsite file that's perfectly harmless, and have it stay that way for weeks, until one day you replace the offsite image itself with a virus-laden one. Nobody notices because everybody's moved on, but there's always going to be someone who happens on it unexpectedly someday and possibly gets infected by it. Criticizing Wikipedia for that isn't especially fair - they do more to prevent people from displaying offsite images than most sites. Indeed,
the vast majority. And remember, many of our members are Wikipedia users in good standing, and I know none of them would ever condone such a thing. (Hopefully!)
However, what was done on the German Wikipedia was very specific to the Wikipedia business model - it used the very respectability of Wikipedia against it, and since there were enough suckers out there who were gulled into thinking it was an authoritative source for, well,
everything, they managed to infect quite a few machines because of it. So it wasn't only a more clever exploit, it was a more
specifically-directed one as well... One might even say "well-directed," but I personally have no desire to encourage malware authors any more than they're being encouraged already by all this press coverage.