The same is true on the Web. In the last two years, we've all been wowed by new Web-based applications like Google Maps and the Web application development techniques like AJAX (Asynchronous Javascript and XML) that make them possible. How many of us really want to think about the possible vulnerabilities that cool new tools like AJAX introduce while they're doing all that magic behind the scenes?

But a new Javascript e-mail worm may be a sign that our romance with what's been dubbed "Web 2.0" and the tools like AJAX that make it possible could be coming to an abrupt end.

Yamanner first appeared on June 12 and targets users of Yahoo Web-based e-mail program. It exploits a previously unknown cross site scripting hole and uses AJAX to raid a victim's Yahoo Mail contacts. The worm's appearance is evidence that malicious code writers are using AJAX and other dynamic Web development techniques to create stealthy Web-based attacks, said Billy Hoffman, lead research and development engineer at SPI Dynamics, a Web application security company.

Yamanner's author or authors figured out how to attach malicious Javascript to a standard HTML image tag in a way that fooled Yahoo's malicious code filters. Once a Yamanner message was opened and the image finished loading, the malicious code was run, and AJAX was used to silently connect back to Yahoo's Web server and send out copies of the virus through the victim's account, Hoffman said.

In October 2005, a Javascript-based worm called Spacehero circulated widely on the MySpace network and used AJAX to add the worm's author, "Samy," to the "friends" list of millions of MySpace users. Yamanner is a variation on the same theme, and the first evidence of an AJAX threat hitting one of the "big three" Webmail providers, Hoffman said.