Slashdot Mirror

← Back to Stories (view on slashdot.org)

jQuery.com Compromised To Serve Malware

Posted by timothy on from the send-you-this-query-to-have-your-advice dept.

An anonymous reader writes jQuery.com, the official website of the popular cross-platform JavaScript library of the same name, had been compromised and had been redirecting visitors to a website hosting the RIG exploit kit and, ultimately, delivering information-stealing malware. While any website compromise is dangerous for users, this one is particularly disconcerting because of the demographic of its users, says James Pleger, Director of Research at RiskIQ.

103 comments

  1. They will never learn by drinkypoo · · Score: 4, Interesting

    People get upset when you call them incompetent for sourcing stuff out to foreign CDNs, but stuff like this happens all the time. It's not safe to pull stuff in from other sites for reasons which are obvious to anyone competent.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:They will never learn by _xeno_ · · Score: 5, Informative

      According to the article, the library itself wasn't affected.

      Plus most people don't use jQuery.com as a CDN. Instead jQuery recommends you use Google's CDN if you want to use a CDN for jQuery.

      Of course, this is still bad - I visit jQuery.com fairly frequently to check the documentation. The article doesn't say what was required for the malware to run so I have no idea if I was vulnerable to it or not, but if it was dropped on all pages and not just the home page, I definitely could have been hit by it.

      --
      You are in a maze of twisty little relative jumps, all alike.
    2. Re:They will never learn by Dracos · · Score: 4, Informative

      You're speaking of the wrong "they". jQuery.com runs WordPress: that's the incompetence. If I had a nickel for every WP-based exploit or compromise, I'd have about $50, and I'm pretty sure this is another one.

    3. Re:They will never learn by Anonymous Coward · · Score: 0

      Exactly, why do you need to use a CDN for 85k worth of javascript?

    4. Re:They will never learn by Anonymous Coward · · Score: 1

      Why do you use 85k of javascript when 25 lines of pure javascript will do?

    5. Re:They will never learn by gandhi_2 · · Score: 3, Interesting

      Every mass-use CMS has had exploits. Even wtihout the plugin exploit problems.

      --
      THL phish sticks
    6. Re:They will never learn by Anonymous Coward · · Score: 0

      To save 21 lines?

      $ wc -l jquery-1.11.1.min.js
      4 jquery-1.11.1.min.js

    7. Re:They will never learn by Anonymous Coward · · Score: 0

      If I had a nickel for every WP-based exploit or compromise, I'd have about $50

      So about 1000 WP-based exploits?

      - a guy with Mathematics PhD from MIT

    8. Re:They will never learn by pooh666 · · Score: 3, Insightful

      What makes YOUR site so safe?

    9. Re: They will never learn by Anonymous Coward · · Score: 0

      Just because any piece of software could potentially have vulnerabilities it does not mean that they're all equally susceptable.

      Some software is inherently less secure than other, similar software, due to the languages and other technologies being used, due to the competence of the developers, due to the development approaches being used, and so forth.

    10. Re: They will never learn by Anonymous Coward · · Score: 1

      Wrong. You're supposed to use code.jquery.com, which is hosted by (wait for it) jQuery. You know, the people who were compromised.

      There's apparently no sign the jQuery CDN was hacked (jQuery.com is a different server), but it's not a good sign if you use the CDN you're supposed to use, the theory being browsers only need to cache the single code.jquery.com copy of the library instead of one per site.

      But, you know, go ahead and spread false information. It's Slashdot, after all.

    11. Re:They will never learn by Alrescha · · Score: 1

      My firewall is whitelist-based. This means if a site uses stuff hosted off-site (jquery, googleapis) it probably isn't going to load. The net affect is that while I can browse such storefronts, I have to do work to buy from them. So I buy elsewhere. They might learn, eventually.

      A.

      --
      ...bringing you cynical quips since 1998
    12. Re: They will never learn by Anonymous Coward · · Score: 0

      Why use libc when 25 lines of C will do? Software libraries are so dumb.

    13. Re:They will never learn by jonasty · · Score: 1

      It was a drive-by download - no action required on your part to get popped.

    14. Re:They will never learn by DahGhostfacedFiddlah · · Score: 1

      There's only one of it?

      --
      Last post!
    15. Re:They will never learn by Anonymous Coward · · Score: 1

      By offloading resources resources to an external site you introduce an additional point of failure. If that site goes down or becomes compromised, your site does as well. However, if your site goes down or gets compromised, it's already down/compromised, so it doesn't matter that the external resource is also there.

    16. Re:They will never learn by Anonymous Coward · · Score: 0

      You needed a PhD to figure out 50/0.05?

    17. Re:They will never learn by CODiNE · · Score: 1

      Have you ever said "I don't run a virus scanner and I've never gotten a virus"?

      --
      Cwm, fjord-bank glyphs vext quiz
    18. Re:They will never learn by tlhIngan · · Score: 2

      Plus most people don't use jQuery.com as a CDN. Instead jQuery recommends you use Google's CDN if you want to use a CDN for jQuery.

      While the recommendation may be there, I can tell you that is NOT the case. Far too often if you use NoScript, "jquery.com" is listed right there as a necessary script for the website to work.

    19. Re:They will never learn by Anonymous Coward · · Score: 1

      When you get into higher mathematics you tend to keep away from actual numbers.

    20. Re:They will never learn by RabidReindeer · · Score: 2

      Why do you use 85k of javascript when 25 lines of pure javascript will do?

      Because they're really, really nasty lines of Javascript. And the same 25 lines won't work on all the different web clients.

    21. Re:They will never learn by Vellmont · · Score: 1

      I disagree with your basic premise, that things are secure, or insecure. Everything is a tradeoff. Using a foreign CDN is a tradeoff of trusting a third party to be secure vs doing it yourself. Just because you do it yourself doesn't mean it's "more secure", it's just more in your control, which can be good or bad.

      We make this tradeoff all the time. Have you ever used 3rd party software on your website? Well then you're making a tradeoff as well.

      You're right to be suspcious of trusting a 3rd party, but I don't agree that using a CDN is always a bad choice, incompetent, and obvious to anyone competent.

      --
      AccountKiller
    22. Re:They will never learn by Anonymous Coward · · Score: 0

      No. My grammar is too good.

    23. Re:They will never learn by Anonymous Coward · · Score: 0

      $ wc --max-line-length jquery-1.11.1.min.js
          32086 jquery-1.11.1.min.js

      Lack of newlines does not a small file make, especially when you have one line that's almost 32 KB long. That "minimal" version still clocks in at 37KB, which is many times larger than the nominal source of most pages that reference it. 1KB of useful text and 37KB worth of JavaShite, that's Web 2.0.

    24. Re: They will never learn by Anonymous Coward · · Score: 0

      What a stupid statement. jquery is not equivent to libc. jquery is equivalent to something like GTK.

    25. Re:They will never learn by TWX · · Score: 1

      Yep. I HATE cross-site scripting. Unfortunately everyone under the sun has gone to it in the last few years even when it doesn't seem to serve any purpose, even for advertising revenue.

      --
      Do not look into laser with remaining eye.
    26. Re:They will never learn by TWX · · Score: 1

      They won't learn. There have always been individuals that have gone against the grain or against the easiest path. You happen to be among them right now, and that element is small enough that it doesn't really pose a problem for everyone else.

      --
      Do not look into laser with remaining eye.
    27. Re:They will never learn by Anonymous Coward · · Score: 0

      No one ever looks at it

    28. Re:They will never learn by jellomizer · · Score: 1

      The exact moment when your site is safe is when you think it is safe.

      Because at the point where you think it is safe, is the point where you have stopped trying to improve security and that is when problems can happen.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    29. Re:They will never learn by Anonymous Coward · · Score: 1

      What makes YOUR site so safe?

      Nobody uses it.

    30. Re:They will never learn by drinkypoo · · Score: 1

      My site is not particularly safe. I'm using specious hosting and the most I do is occasionally log in and run updates.

      However, my site is safer than my site plus some other sites, too.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    31. Re:They will never learn by Anonymous Coward · · Score: 0

      Every mass-use CMS has had exploits.

      Why do we keep mass-using the exploitable ones?

    32. Re:They will never learn by wonkey_monkey · · Score: 1

      So... it's safe when you think it's safe, and when you think it's safe, it's not safe? So when it's safe, it's not safe?

      --
      systemd is Roko's Basilisk.
    33. Re:They will never learn by TangoMargarine · · Score: 1

      What's wrong with his grammar?

      --
      Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
    34. Re:They will never learn by lennier · · Score: 2

      My site is not particularly safe. I'm using specious hosting

      That's nothing, I've implemented an entire fallacious reasoner on a casuistic cloud architecture using sophistic inferencing. I'm pretty confident in the results I'm getting.

      --
      You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
    35. Re:They will never learn by Just+Some+Guy · · Score: 1

      Something like Jekyll can never have a server-side exploit, and statically-generated sites are certainly popular enough among larger projects.

      --
      Dewey, what part of this looks like authorities should be involved?
    36. Re:They will never learn by Just+Some+Guy · · Score: 3, Informative

      The purpose for parking JavaScript on a CDN is so that your visitors are likely to already have it in their cache. A million sites referring to the same URL is far more resource friendly than 10,000 sites hosting their own copy.

      --
      Dewey, what part of this looks like authorities should be involved?
    37. Re:They will never learn by plcurechax · · Score: 2

      What makes YOUR site so safe?

      I used FrontPage to create it, and host it on MySpace.

    38. Re: They will never learn by Anonymous Coward · · Score: 0

      I think you are making some seriously poor assumptions about how compromising jquery.com could possibly allow an infected jquery version to be dispersed by the cdn you mention. Let alone the ways in which such things would be noted instantly, there's just a whole lot of not thinking things through here.

    39. Re:They will never learn by Anonymous Coward · · Score: 0

      Then don't try to do in public what you obviously aren't intelligent enough to do then.

    40. Re: They will never learn by Anonymous Coward · · Score: 0

      Wooooooooosh

    41. Re:They will never learn by Frobnicator · · Score: 1

      My firewall is whitelist-based. This means if a site uses stuff hosted off-site (jquery, googleapis) it probably isn't going to load. The net affect is that while I can browse such storefronts, I have to do work to buy from them. So I buy elsewhere. They might learn, eventually.

      They won't notice or care. Why would they? You aren't doing anything to trip any kinds of alarms or alerts with them.

      If you want them to do something, call their help desk and act like an incompetent computer user. "My kids set up this newfangled computer and I can't buy from you..." If enough people did that it might make a blip on their stats that "JavaScript All The Things!" menatlity will cost them in support calls and possibly lost business.

      --
      //TODO: Think of witty sig statement
    42. Re: They will never learn by Anonymous Coward · · Score: 1

      For many years code.jquery.com actually to Google itself. It wasn't until about a year ago that they got support from a different CDN to host it from code.jquery.com directly again. They still list alternative CDNs on their instructions, and say you can use which ever works best as long as you don't mind alternatives being possibly a couple days out of date on updates.

    43. Re:They will never learn by Anonymous Coward · · Score: 0

      $ wc --max-line-length jquery-1.11.1.min.js

          32086 jquery-1.11.1.min.js

      Lack of newlines does not a small file make, especially when you have one line that's almost 32 KB long. That "minimal" version still clocks in at 37KB, which is many times larger than the nominal source of most pages that reference it. 1KB of useful text and 37KB worth of JavaShite, that's Web 2.0.

      If you use Google's CDN, the user will only have to download jquery-1.11.1.min.js once and the browser will cache it for any site that also uses that CDN. Download 37KB once (a big burden if you're on dialup I guess) and it saves any JS-heavy site from having to waste MORE kilobytes reimplementing stuff the jQuery library already does. It's a net positive, and jQuery is probably doing things more efficiently than a lot of web developers who rely on it would if left to their own devices.

      Seriously, if you're so concerned about bandwidth usage, you should probably strip images. Those can be MUCH bigger than 37kb.

    44. Re: They will never learn by int19h · · Score: 1

      "gotten" instead of "contracted", perhaps.

    45. Re:They will never learn by chrish · · Score: 1

      Pulling bits from a foreign CDN also leaks information via the referrer headers, which might be something you need to worry about if you're using it for internal projects.

      --
      - chrish
    46. Re:They will never learn by unimacs · · Score: 1

      What? People don't like to be called incompetent ? Who knew ? ;)

      The chance of an average American being in a car accident in the next 5 years is 1 in 4. 37,000 people die each year in car accidents and over 2 million are injured. Yet most of us still drive even though a lot of us have alternatives. Having your site compromised is bad but for most of us it's a lot better than being dead. My point is that life is full of risks and trade offs.

      Using a CDN like googleapis to host some of your content can improve the performance of your site, especially in terms of latency which is often a bigger concern on mobile networks than bandwidth.

      One has to weigh the risks of using a CDN against the benefits. If you understand the risks and decided that it's worth it in your case, it many not be incompetent at all.

    47. Re: They will never learn by TangoMargarine · · Score: 1

      Ich läufe nicht einen Virusscanner und habe nie ein Virus bekommen.

      --
      Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
    48. Re:They will never learn by drinkypoo · · Score: 1

      The purpose for parking JavaScript on a CDN is so that your visitors are likely to already have it in their cache.

      If you're dumping so much JS on your users that this matters, you're doing it wrong. If your users visit your site so infrequently that your site doesn't stay cached, then it probably doesn't matter anyway.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    49. Re:They will never learn by drinkypoo · · Score: 1

      Because they're really, really nasty lines of Javascript. And the same 25 lines won't work on all the different web clients.

      So you deliver different lines to different web clients. It's not exactly rocket surgery. Doesn't jquery do this already regardless of where the code is hosted?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    50. Re:They will never learn by Anonymous Coward · · Score: 0

      "gotten" is not standard English; the correct form is "got".

    51. Re:They will never learn by TangoMargarine · · Score: 1

      http://www-personal.umich.edu/...

      "I've gotten" meaning "I have received," not "I currently have."

      --
      Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
    52. Re:They will never learn by RabidReindeer · · Score: 1

      And then it's no longer 25 lines you're maintaining. In parallel.

      Yes, one of the prime benefits of jQuery is that it handles the client-specific warts of Javascript.

      Not to mention quite a few of the other warts.

    53. Re:They will never learn by Just+Some+Guy · · Score: 2

      But if you and I are using the same library, why make the visitor fetch and store it twice? That's a slower startup for both of our sites. Multiplied across hundreds of thousands of jQuery-using instances, it adds up.

      The fastest GET is the GET which need not be made.

      --
      Dewey, what part of this looks like authorities should be involved?
    54. Re:They will never learn by drinkypoo · · Score: 1

      But if you and I are using the same library, why make the visitor fetch and store it twice?

      Because of things like this. Sure, the library was allegedly not compromised, but that's this time.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    55. Re:They will never learn by sjames · · Score: 1

      Because I feel at least some sense of responsibility for not infecting people who visit my site but I have no idea how well you or some other party have secured their sites.

  2. ust use the cdn, no one hosts their own by Anonymous Coward · · Score: 0

    Or perhaps lets start hosting our own content again so when one of the big guys gets ass raped, only the big guys get ass raped.

  3. wow.... by gandhi_2 · · Score: 4, Funny

    did I just hear some relevent news on slashdot before i saw it on twitter?

    today is a bright, shiney day!

    --
    THL phish sticks
    1. Re:wow.... by Anonymous Coward · · Score: 0

      did I just hear some relevent news on slashdot before i saw it on twitter?

      You better run a query on it to be sure.

  4. The key piece of info that you need to know by Fnord666 · · Score: 4, Informative
    The key piece of info that you need to know is this:

    The only good news in all of this is that there is no indication that the jQuery library was affected.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  5. Thats not good. by stewsters · · Score: 1, Interesting

    This is going to be a large one. Many small to medium websites use their cdn for hosting JQuery rather than pulling it down and hosting it themselves. Kinda feel a little better about hosting it myself now.

    1. Re:Thats not good. by Jason+Levine · · Score: 3, Interesting

      Except they've said that the library wasn't affected. So it would just be people who went to the jQuery website... like I did a couple of days ago. :-O

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    2. Re:Thats not good. by pooh666 · · Score: 1

      yep, and the low visibility of your one single site means that any exploit on your version of jquery will be much more likely to go unnoticed. Not to mention the not RTFA part about it not affecting hosted versions.

    3. Re: Thats not good. by Anonymous Coward · · Score: 0

      How do they know for sure that it wasn't compromised?

    4. Re:Thats not good. by _xeno_ · · Score: 1

      It would be nice if the article mentioned what browsers/plugins were vulnerable, wouldn't it? (And does this cover api.jquery.com or just the home page?) Although it wouldn't surprise me that they just don't know yet since jQuery is still investigating.

      I'm pretty sure I'm up to date with everything, but...

      --
      You are in a maze of twisty little relative jumps, all alike.
    5. Re:Thats not good. by freezin+fat+guy · · Score: 1

      The good news is that admins are more likely to run flash block or equivalent settings, and jquery.com isn't one of those evil sites that requires flash.

      Now if we could just get Google to fully commit to a flash-free world...

    6. Re:Thats not good. by Jason+Levine · · Score: 1

      Exactly. I visited api.jquery.com with Google Chrome. Am I safe because I used Chrome or because I didn't go to www.jquery.com? Or am I still potentially infected? Was the infection only on September 18th (removed that day) or did it linger for a few days after this? (When I went there on September 19th, could I have been infected?) Details would be very helpful.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    7. Re:Thats not good. by mi · · Score: 0

      I'm quite comfortable, that the browser I compiled myself — with customized optimization flags — running on a similarly custom-compiled operating system is secure. And, yes, the Java I use is also custom-compiled.

      Not saying, everyone else "deserve", what they are getting, but the Internet would be a finer place, if they all dropped-off for a while.

      --
      In Soviet Washington the swamp drains you.
    8. Re: Thats not good. by Anonymous Coward · · Score: 0

      So you inspected every line of source code of your browser, operating system, and java runtime, and visually verified that they are all secure?

    9. Re: Thats not good. by mi · · Score: 1

      So you inspected every line of source code of your browser, operating system, and java runtime, and visually verified that they are all secure?

      No, I simply know enough about exploits. The software on my system may — indeed, is likely to — contain the common vulnerabilities. In theory it is just as exploitable as anything else.

      However, to be able to exploit my machine in practice, you need to know exactly how my stuff is compiled. How exactly should your JPG file be crafted, for example, to insert executable code to where it will be executed? People running pre-compiled binaries can all be infected by the same image.

      People like myself, using non-default compilers with non-default optimization flags, require customization. And there is no profit in such individual customizations for any regular hacker — one has to target me specifically spending considerable effort. People, who'd do that to get me, can already issue subpoenas and obtain search-warrants...

      Like a person hugging the ground when a mortar falls, I'm not invincible. But I'm far safer, than the fools standing-up are...

      (BTW, it really is a bad style to down-mod and then post anonymously in the same thread...)

      --
      In Soviet Washington the swamp drains you.
  6. More reason for Requestpolicy by TheCarp · · Score: 2

    This is exactly the sort of reason I run requestpolicy, and jquery is always one of the ones I hate seeing because I know what it means to allow so many sites to talk to load code the same one, so it only ever gets a temporary exception, same for googleapis.

    --
    "I opened my eyes, and everything went dark again"
    1. Re:More reason for Requestpolicy by pjt33 · · Score: 4, Informative

      If you're that worried about it, why don't you run a local mirror and point your hosts file at it?

    2. Re:More reason for Requestpolicy by TheCarp · · Score: 1

      well, I, because.... fucking great idea. I really just never considered it.

      --
      "I opened my eyes, and everything went dark again"
    3. Re:More reason for Requestpolicy by Anonymous Coward · · Score: 0

      SHHHHHH!

      You'll wake him.

      Do you feel that rumble? Dammit! What have you done?!

    4. Re:More reason for Requestpolicy by Anonymous Coward · · Score: 0

      I'm not in the mood.

      APK

      No, really. Not today. ...apk

    5. Re:More reason for Requestpolicy by Anonymous Coward · · Score: 0

      Another way to protect yourself against this threat using hosts files was posted here http://developers.slashdot.org...

  7. hosted scripts by Anonymous Coward · · Score: 0

    That's one of the main reasons I prefer hosting all the files myself. At least you don't compromise your IT-security or brandname if such a breach happend. The attackers clearly didn't know what damage they could have done if they used this breach correctly.

    1. Change the CSS & Jquery javascripts that are used by millions of domains and websites.
    2. Serve malware.
    3. Profit.

  8. Always assumed it was ... by gstoddart · · Score: 2

    I have always treated it like it's an external 3rd party, not the web site I'm visiting, and therefore not an entity I trust.

    I've always viewed jquery as about as trusted as doubleclick or scorecardresearch. I don't know or care what you do, I didn't visit your site.

    But then, I've learned not to trust the web in general.

    With so many sites using this, dumping malware into it means you can get a whole lot of sites easily ... making this a fairly obvious target.

    --
    Lost at C:>. Found at C.
  9. JQuery Compromised? by Anonymous Coward · · Score: 0

    I wonder what their side of the compromise was. What could they want that a Malware company could provide?

  10. Re:The key piece of info that you need to know by Anonymous Coward · · Score: 0

    This shows how dumb the hacker is. If you managed to hack jquery.com, it seems like the first thing to go after is the jquery library that's hosted there.

  11. jQuery.com Compromised To Serve Malware by marsu_k · · Score: 1

    You mean... jQuery?

    (for the record I use it where appropriate, but it's also way over/misused)

    1. Re:jQuery.com Compromised To Serve Malware by just_another_sean · · Score: 1

      No, their website was compromised, not the library so the headline is valid.

      --
      Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
  12. Re:The key piece of info that you need to know by benjfowler · · Score: 1

    Probably not that dumb. If it's a watering-hole attack to go after developers rather than end-users to steal IP or go after high-volume websites in a less-indiscriminate way, then that would make sense.

  13. Considering jQuery is malware... by greenwow · · Score: 0, Funny

    it is illogical to lie and claim that it was compromised to serve malware. It was compromised to serve an additional malware. That is what happened. The headline uses Republican style logic. The only thing it didn't do was talk about how much the jQuery creators hate their users by spewing out such garbage that they shove down the throats of users. They are horrible people.

  14. Noob question: Could a Mac be infected? by NitzJaaron · · Score: 1

    Did a little research on the Rig exploit, and I've come away a bit confused: if I hit the exploited site while using a Mac, could the Mac be infected, and if so how could I tell - and how could I remove it if so? Thanks in advance.

    1. Re:Noob question: Could a Mac be infected? by Jason+Levine · · Score: 1

      I was looking into it also as I went to the jQuery.com site a day after the exploit was detected. (It was detected on September 18th. I visited the site on September 19th.) Apparently, the RIG exploit uses IE, Java, Flash and/or Silverlight. I'm not sure if my loading of the site in Google Chrome means that I'm safe or that I could still be infected.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    2. Re:Noob question: Could a Mac be infected? by sexconker · · Score: 1

      I've been all over their site lately, using FF, NoScript, and ABP. Saw nothing out of the ordinary.

  15. Re:Preventative medicine, inside... apk by Anonymous Coward · · Score: 0

    Yeah, I just turn your hosts file into my local DNS server and point everything at that. No point in copying host files around to every blessed machine.

  16. JQuery is a menace anyway by Mister+Liberty · · Score: 1

    Browser sniffer par excellence.

    1. Re:JQuery is a menace anyway by Anonymous Coward · · Score: 0

      Wow. I don't even...

    2. Re:JQuery is a menace anyway by CrashNBrn · · Score: 1

      Yeah it's kinda crap in some ways. It sure is a nicer/cleaner/more readable/less-typing syntax though. Kinda like Groovy v Java.

    3. Re:JQuery is a menace anyway by PPH · · Score: 1

      It's a fscking bottleneck. Too many times, an otherwise useful page stalls trying to load something from jquery.com.

      --
      Have gnu, will travel.
  17. Re:The key piece of info that you need to know by TWX · · Score: 1

    Or they wanted to see how quickly a penetration would be noticed, if at all, so that they could build a bigger exploit.

    --
    Do not look into laser with remaining eye.
  18. Too hard to read... did not read by Anonymous Coward · · Score: 0

    Too bad the article it linked to used that almost unreadable light grey colour on the font. I took one look and decided not to bother. When I have to squint and struggle to see it, forget it. Who was the numbskull who came up with the idea that light grey on white is a good scheme for presenting type? Or was this a case of younger designers not giving a rat's ass about older readers? Fuck.

  19. How dare you? by Anonymous Coward · · Score: 0

    How dare you dismiss an entire organization as incompetent based on the selection of a popular and mature CMS platform?

    It's the *3rd party* code that introduces the majority of exploits to the platform. The quality of code in the plugin/theme community is largely *crap* and deserves your misplaced ire.

    Further, jQuery's use of WordPress is anything but standard: http://gnarf.net/jquery-and-wordpress/#slide1

    And finally, I'm not really sure if the OP is accurate at all. The only affected domain seems to be jquery-cdn.com which doesn't appear to be an official domain in the first place. In the first link in the OP has a statement from the jQuery Foundation stating that they can't confirm ever being infected.

    ~jbr

    1. Re:How dare you? by Anonymous Coward · · Score: 0

      Funny, I always thought that jQuery was malware from the git-go. Most of what is in the core library are things you could do easily yourself; apart from the AJAX code I could hardly see the point. To do anything useful with it you have to bring in a lot of your own code and/or make heavy reliance on tons of addons having very uneven quality and provenance. I never could understand why most everyone goes so gaga about it. It's a big exercise in stone soup. Now, to top it all off, the core of it is not being protected from compromise.

      I'd much rather use a framework with better integration and less of a sneering attitude toward browsers outside of the latest mainstream.

  20. Windows malware by manu0601 · · Score: 1

    The attack should be a concern because jquery.com visitors are devs and sysadmins. But I understand RIG is a Windows malware. Who trust Windows enough to use the same machine surf the web and to store precious keys?

  21. DNS = more resources used + complexity too by Anonymous Coward · · Score: 0

    Higher electrical bills, cpu, RAM & other forms of I/O too in running a local DNS machine (especially if/when it's a separate machine), as well as more room for error due to complexity/breakdown OR exploit (Kaminsky flaw etc. - patch yourself against it OR opt for TCP usage vs. UDP (which the latter LITERALLY DOUBLES dns overheads)).

    * It's not a hassle to batchfile or cmdfile copy hosts around a network & they're less complex by far as well as less prone to error or exploitation as well (this can be setup to be automated IF you wish even from a central server in scheduled tasks (Windows) OR chronjobs (*NIX)).

    APK

    P.S.=> However, *IF* you don't mind those items noted above? Whatever works for you... apk

  22. jQuery confirms compromise by jedinite · · Score: 1

    https://twitter.com/jquery/sta...

    --

    ---------
    There is no try at jedinite.com
  23. Impersonating me? ... apk by Anonymous Coward · · Score: 0

    I only posted twice in this article's response threads here http://developers.slashdot.org... and here (in reply to someone) http://developers.slashdot.org...

    * You have issues, Mr. Impersonator - get over them!

    APK

    P.S.=> Bad impersonation too - you forgot my 'p.s.' I do @ the termination of my posts as well... apk

  24. Preventative medicine, inside... apk by Anonymous Coward · · Score: 0

    0.0.0.0 woitp.bestburaco.com
    0.0.0.0 bestburaco.com

    * Add those 2 lines to your hosts file & voila: You're "bulletproof" vs. this threat...

    ( Source for said protective data was digging into the source article here & it's actual TECHNICAL resource source RiskIQ -> http://www.riskiq.com/resource... )

    APK

    P.S.=> For added protection vs. such threats that utilize host-domain names (the vast majority), as well as for gaining added speed, reliability, & more (than better security too)? Well, you know:

    APK Hosts File Engine 9.0++ 32/64-bit:

    http://start64.com/index.php?o...

    (Hey - it's "ME", & when hosts apply to solve a security issue or other problem? I post, since after all - it works!) ... apk