Jamie Oliver's Website Serving Malware

jones_supa writes While routinely checking the latest exploited websites, Malwarebytes came across a strange infection pattern that seemed to start from the official site of British chef Jamie Oliver. Contrary to most web-borne exploits we see lately, this one was not the result of malicious advertising but rather carefully placed malicious JavaScript injection in the site itself. This, in turn, has been used to serve visitors a delicious meal consisting an exploit kit downloading the Dorkbot trojan. Malwarebytes has contacted the administrators immediately upon discovery of this infection.

Re:Is javascript dangerous?

[IamTheRealMike]

So to answer your question: No, Javascript isn't really dangerous. Poorly written browser plugins are.

No, what's dangerous is software that doesn't silently auto update.

JavaScript vs Java vs ActionScript is largely irrelevant. Web browsers routinely ship fixes for dozens of JS sandbox escapes in every update they release. Web sandboxes aren't made of magic that is unavailable to other technologies. The reason most exploit kits still target Flash and Java is that modern web browsers keep themselves up to date a lot more aggressively than those plugins do/did - typically not asking for permission any more. If you dig in you'll usually find these exploit kits are exploiting bugs that were found and patched years ago. But they still work because some non-trivial fraction of the userbase always dismisses auto update requests.

In case you don't believe me, consider that in 2014 Java had no zero day exploits at all. But some people are still vulnerable to bugs from 2012. The ask forgiveness not permission auto update policy was pioneered by Google and unfortunately took a long time to become accepted as the standard due to the old mindset, especially amongst tech geeks, of "my computer is my castle".