H-Online: The German Federal Office for Information Security (BSI) is warning of online shops which infect users with malicious software by exploiting security vulnerabilities in the user's browser, operating system or applications. The affected shops have themselves been hacked by attackers exploiting security vulnerabilities in outdated versions of open source online shop software osCommerce.
As reported by The H two weeks ago, osCommerce shops are currently being hacked en masse. The vulnerabilities used for the hack were fixed in November last year with the release of osCommerce 2.3, but many companies running online shops have yet to update to a secure version.
The BSI is advising companies running osCommerce-based online shops to check which version of the software they are using and to update to one of the current versions (2.3.1 or 3.0.2) if necessary. Older versions should be checked to see whether the installation has been compromised, as a matter of urgency. The BSI is further advising users to keep virus signatures up to date and to install all available security updates for their operating system and applications.
Although the BSI produces advisories for a German audience, their advice is worth considering; around 8 million osCommerce pages on web sites around the world have shown up on search engines carrying the malicious software.