ANI - Monday Apr 9th
Things seem to have settled down in that all the major exploitive web groups seem to have picked up the ANI exploit, and it's now part of the general exploit fabric of the web.
By this we mean that there probably won't be any more surprises with this one, and it will now follow the pattern that we see with the other web exploits... major bad guys will continue trying to find ways to hide their use of it, minor bad guys will continue to adopt it as they figure it out... spammers and malicious e-carders will continue to send it out for whatever it produces for them. Anyone who's patched or is running something like LinkScanner is pretty safe.
Interestingly, these guys (spammers and ecarders) will now mostly catch corporate victims because corporates tend not to patch automatically.... they break too many mission-critical systems with automatic patching. They rely instead, on their corporate av and firewalls to protect them, and the bad guys know how to bypass av any time they like, and firewalls are no protection against web exploits, because the browser creates an instant tunnel right thru them.
A lot of people do their online banking at work (not to mention checking their MySpace or Hotmail accounts), exactly because they think they're safer at work protected by the corporate av and firewall, only to find out that it was not so. Given the predilection of the recent Chinese gangs for installing rootkits and network sniffers, that cannot be a happy outcome for a corporation.