|
Note to webmasters: In most instances it is not necessary to use
JavaScript to produce a well designed effective page.
Because of the client-side virus and privacy risks, webmasters
should only use JavaScript when there is no alternative.
To prevent such virus and privacy risks, clients should
turn off the browser's ability to process JavaScripts.
Also, disable Window's running of VB scripts. Here is what one expert says about JavaScript (and API's): "Java tried to make a Start. Java Programs run in an Sandbox which is supposed to be secure. So is ActiveX Scrpting supposed to only use Secure Objects. But the History tells us, that even that simple task of building a small sandbox for Web Applets is impossible to do for the vendors. All kinds of Javascript, Web Spoofing, ActiveX unsecureness or Java Sandbox Exploits are known." Typically, when JavaScript is disabled, the hyperlinks won't work when you click on them. Whenever you find a web page that uses JavaScript, notify the webmaster as to why you will not browse the page. If you really want to look at a site despite the virus and privacy risks, just enable the JavaScript preference in your browser, and reload the page. Not convinced? Go to http://www.peacefire.org/security/jscookies/ and take a look at the directories on your own computer. By the way, this sort of works anyway, even if you have disabled JavaScript in Netscape.
..Killer Java applet sacks NT systems
Whatever you do, don't push that big red button
On August 14 a Norwegian programmer discovered how to write a Java
applet that, when run, can bring down a Windows NT system. This is
not supposed to be possible, of course. Tonny Espeset esp2@online.no
accomplishes the trick by calling some Java methods with out-of-
bounds arguments (the exploit page does not give details), and on
about half of the NT systems tested the applet immediately crashes
the system right down to a white-button reboot. On some other NT
systems, running the applet corrupts system fonts and cursors; the
symptoms are cured by a reboot. I tried the applet [19] on two NT
4.0 systems and crashed one, corrupted fonts on the other.
Greg Roelofs roelofs@pmc.philips.com, TBTF Irregular, tipped this
story -- thanks.
[19] http://www.eyeone.no/KillerApp/KillerApp.htm
For a complete list of TBTF's (mostly email) sources, see
http://www.tbtf.com/sources.html.
________________________________________________________________________
TBTF home and archive at http://www.tbtf.com/. To subscribe send
the message "subscribe" to tbtf-request@world.std.com. TBTF is
Copyright 1994-1998 by Keith Dawson,
Original story at [30] http://www.wired.com/news/news/technology/story/14617.html Hotmail Open to Script Attacks by Michael Stutz 4:00 p.m. Aug. 24, 1998 PDT What's in an email message, outside of a quick note, a reminder from Mom, or an annoying slab of spam? If the message is coming through the Web-based email service Hotmail, it could contain a Trojan horse ready to release your account information to an intruder.
Tom Cervenka, a Web programmer at Canadian Specialty Installations, spent last week working on some clever coding to send to his Hotmail account. It tells users account access has been timed out and that they need to re-enter their account and password information. When the user clicks the button to resubmit the information, the account ID and password are sent to the email address included in the JavaScript. If successful, his code would tell users their account access had been "timed out" and that the user needed to re-enter their account and password information. At that point, the code, in the form of JavaScript, would use standard mail protocols to send the account data to any email address. His trick worked. "I found out I could send myself a message that could contain JavaScript code. The code could go and alter the Hotmail user interface itself," Cervenka said. "Pretty much once you view the code [in the email message], it starts reading ... and the damage is done." The JavaScript applet in question was capable of altering the HTML-based interface of Hotmail's inbox, its outbox, and its message controls. The links and interface looked the same after they had been altered, but they had been changed to send data to Cervenka's address. "We can verify that it does appear to work and is a way that people could potentially sniff a user's passwords, and we're working extremely hard on coming up with a fix for it," said Sean Fee, Hotmail's director of product marketing. "We don't have a specific time, but we would expect a very, very fast turnaround on this," Fee said. Until then, Hotmail users shouldn't open email messages from unknown senders, and they should disable JavaScript in their Web browser. Cervenka posted a working demonstration and full description of the exploit on the Web, and sent out alerts to security mailing lists. He doesn't know of other successful exploits of the trick, but figures he's not likely to be alone in discovering what he says is the use of fairly simple JavaScript instructions to fool the Hotmail system. The free email service is the only one he's tested it on, but Cervenka suspects that any Web-based email or chat system can be similarly exploited. The fix, he says, is for the systems to detect and filter out JavaScript from any incoming email messages. "If I've figured it out, there's definitely a lot of other people who have figured it out, too," he said. "If anybody doubted that they should be concerned about their use of JavaScript, now they know," said Ted Julian, security analyst with Forrester Research. "It's a classic Trojan horse that's been tried with many different kinds of applications as a way to gather [usernames and passwords]," Julian said. Cervenka said he alerted both Hotmail and Microsoft at the end of last week but received no reply other than an automated email response from Hotmail. "Anyone that knows even a minimal amount of JavaScript can take advantage of this." Julian said free email service providers also need to be aware of the liability issues. "It's great that they are putting together these portals that contain all sorts of information and services as a way to attract traffic, but here's an example of how they need to think very carefully about what the security and liability issues are that are associated with those services," said Julian. "It's not just a matter of kinda throwing this stuff up there now. There's some considerations that they need to make." Fee said that the company is working hard to "understand exactly the various ways in which it works, understand its technical scope, and come up with a solution" that will remedy the problem. "Protecting our members' personal email and privacy is of paramount importance to us," Fee said. In February, the company patched within a day a potential exploit that granted malicious users access to Hotmail accounts.
|
From: dawson@world.std.com (Keith Dawson) Subject: TBTF Log, week of 2000-07-30Friday, 2000-08-04 ++ Brown Orifice reveals major holes in Java, Netscape 10:52:18 pm Dan Brumleve, the perpetrator of the delicately named Cache-Cow [1] Netscape security exploit of nearly two years ago, is at it again. He has discovered two new ways to make Java misbehave, one residing in the Java core and the other in Netscape's implementation of Java. He calls the new vulnerabilities Brown Orifice [2] (playing off the infamous Back Orifice [3], [4] trojan from the Cult of the Dead Cow). Brumleve writes on the BrO page [2]: > The first [vulnerability] allows Java to open a server which > can be accessed by arbitrary clients. The second... allows Java > to access arbitrary URLs, including local files. > As a demonstration, I've written Brown Orifice HTTPD for Net- > scape Communicator. BOHTTPD is a browser-resident web server > and file-sharing tool that demonstrates these two problems in > Netscape Communicator. BOHTTPD will serve files from a > directory of your choice, and will also act as an HTTP/FTP > proxy server. Brumleve has verified that the exploit works on Netscape 4.{5-7} running on Linux and assorted flavors of Windows. He has seen it work behind a firewall that was doing network address translation, and also fail with a mysterious message when a browser was con- figured to use a proxy. You can download the Java applet in various forms here [5]. I was unable to experience this security hole firsthand, as my firewall blocks incoming HTTP requests. [1] http://tbtf.com/archive/1998-10-12.html#s03 [2] http://www.brumleve.com/BrownOrifice/ [4] http://tbtf.com/archive/1998-08-10.html [6] http://www.brumleve.com/BrownOrifice/BOHTTPD_download.cgi To subscribe to the TBTF newsletter, send the message "subscribe" to tbtf-request@tbtf.com, or visit http://tbtf.com/#autosub . TBTF and the TBTF Log are Copyright 1994-2000 by Keith Dawson, daw- son@world.std.com. Commercial use prohibited. For non-commercial purposes please forward, post, and link as you see fit.
PC World August 8, 1998
In early June, 1998, the Federal Trade Commission released the results of its survey of Web sites. The commission found that 92 percent of commercial Web sites surveyed collect personal information, but only 14 percent let individuals know what they do with that information. Eighty-nine percent of children's sites surveyed collect personal information, but less than a quarter instruct kids to get their parents' permission before providing that information. In response, the FTC outlined legislative recommendations for children's sites, with more to come later this summer.
You can find more specific information about hostile java at http://www.cigital.com/hostile-applets/
Home