Homo boobus is one of my favorite creations, the person for whom Murphy's Law was made and whose more spectacular appearances are usually preceded by "Hey, watch this!" The most audacious members of the specie go on to posthumously win the Darwin Award.
He or she is also the person that sysadmins have seen who "click the email attachments (when they KNEW it was a virus) "just to see what it would do"." In the future you may have the opportunity to know them much better as the family of socially engineered attacks commence with "Drag-and-infect."
Drag-and-infect is a case of drag-and-drop that allows an "attacker [to use the flaw to] install a program on a victim's computer after convincing the person to visit a malicious Web site and click on a graphic." The malicious website would be set up to lure homo boobus to actually drop a program into the victim's startup folder which would then execute when the PC was restarted.
I do not agree with Microsoft's position that the flaw "did not pose a serious risk to users because it requires an attacker to trick people into visiting a Web site and taking some action at the site." Just think how a virus, as opposed to a worm, propagates; a user has to do something, has to intervene, which they do with regularity. It is believed that drag-and-infect can be reduced to a single click, thereby making the exploit much more prevalent.
I very much agrees with the comment of the flaw's discoverer who embedded a general compliment to Microsoft in saying, "The patch [for XP] really does lock down the machine nicely, and whatever anyone finds now will be completely different to the previous year's findings."
Enter the age of Homo boobus. If and when software providers do make their apps more robust, hackers and crackers will shift to the weakest link and they will do it quickly and in novel ways that sail past the constructs meant to stop them.
Consider the novel manner in which spammers have gotten around the use of a graphic with combinations of ornate letters and numbers that is used to defeat spambots and so insure that the replier is a person: the graphic is trapped and sent to sites where visitors can gain access to erotic materials by entering the correct alphanumeric string for the spammer to use. With the meter running, homo boobus translates one graphic after another to gain more access.
For the geeks among readers, go here and here for evidence of spambot evolution.
A discussion has commenced regarding the responsibility of a vendor such as Microsoft to insulate any and all users from such threats. It is interesting that some of the early SP2 XP flaws are seen as requiring "so much social engineering that holding Microsoft responsible was an "unrealistic expectation."" I do not think that the limit will hold for long, given the creativity of hackers and the propensity of homo boobus to click on anything -- and without that understanding, the responsibility discussion may not go far enough.
Secunia rates this flaw as "highly critical," its second-highest rating of vulnerability threats. I agree and believe that as apps become more robust, hackers will exploit this class sooner than later.
Earlier appearances of Homo boobus:
Drag-and-drop flaw mars Microsoft's latest update
By Robert Lemos
August 20, 2004, 1:04 PM PT
IE flaw under SP2: User’s problem or Microsoft’s?
Posted by david.berlind @ 9:18 am (PDT)
Monday, August 23 2004
The Fastest Man on Earth (Overview and Index)
Why Everything You Know About Murphy’s Law is Wrong
by Nick T. Spark
www.Regulus-Missile.com and www.eyeballoverload.com
Los Angeles, California
Online porn often leads high-tech way
By Jon Swartz
March 9, 2004