jQuery is a popular Javascript framework, used by many websites (including isc.sans.edu) . jQuery provides many features, like easy access to webservices as well as advanced user interface features. When using jQuery, sites have the option to download and host the complete code, or let jQuery.com and it's CDN (Content Delivery Network) host the code.

There are two advantages in allowing jQuery.com to host the code:

• Performance: Code is typically delivered faster, and a user may already have the code cached if they visited another site that used the CDN hosted copy of jQuery.
• Automatic Updates: Updates to jQuery are pushed to the CDN by the jQuery developers, and a website using it will automatically receive the latest copy.

On the other hand, there is an important drawback, and the main reason why the jQuery code for isc.sans.edu is hosted on our own servers: With code being "blindly" included from 3rd party sites, it is possible that a compromise of this 3rd party site will affect your site's security.

Sadly, just this happened according to RiskIQ with jQuery.com [1]. The web site was compromised and malicious code was injected redirecting users to a malicious site. Luckily, the jQuery library was NOT affected. Otherwise, many additional sites would have been exposed and visitors to these sites would have been affected. This is in particular fortunate as the attack appears to be targeted. The redirection domain used in this attack was jquery-cdn.com . That domain was registered on the day the attack was first noticed.

Particulary concerning is the fact that I am unable to find any statement about the attack on jQuery.com . If someone has a link, please let me know.

[1] http://www.net-security.org/malware_news.php?id=2869

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn