[clug] Drive-By Pharming Attack Could Hit Home Networks

Michael Cohen michael.cohen at netspeed.com.au
Sun Feb 18 22:10:55 GMT 2007 

On Sun, Feb 18, 2007 at 08:49:32PM +0100, Kim Holburn wrote:
> I seem to remember that java was designed with security in mind but I  
> believe javascript came out of netscape as an afterthought very  
> basically based on the idea of java and has grown rather like topsy  
> ever since (and been embraced and extended ;-).  There are different  
> javascripts in different browsers and none have a good security  
> reputation.

Kim, 
  Javascript may have grown in a haphazard way and that is reflected in its
  syntax and structure, but ultimately its merely another (somewhat weird
  looking) turing equivalent language. The problems you mentioned are
  fundamental to the whole web model - i.e. how is it possible to have code
  downloaded from the net and have that code execute but limit its ability to
  touch other code downloadeded from the net.

  This is a hard problem because the web is not a constant, the way people want
  to use the internet changes all the time. The single site/single script
  contex model is one way of trying to define security boundaries (java applets
  btw use the same model too). Sometimes it works, often it doesnt (purely
  because evildoers deliberately exploit those situation in which it doesnt
  work).

> No-one seems to have thought of this scam yet but I expect you will  
> see it.
 
  Phishing scams and adwares have thought of just about anything to get their
  scams up - I am sure they will use the original exploit described in the
  paper too.

> javascript can write just about what it wants into the current page.   
> You  can create a whole page with javascript or rewrite one.  How  
> could the browser really test for this?  JS can hijack all the links  
> on a page, it can create a link that will appear to a cgi script that  
> someone filled in a correct username and password and changed  
> settings.  If it can't open a page from another site it can entice  
> you to open it and make the page look like something else.  It can  
> make a page that gets all it's resources from another site.   
> Javascript is not secure in hostile hands.

These features are not specific to javascript - vbscript and java applets can
all do that. In fact that is the whole point of web side scripting - to be able
to manipulate the DOM, create new nodes, and test for existing nodes.
Javascript is basically a tool used to manipulate the dom and as an event model
- interact with the user. In fact any code can sumbit anything to a cgi form
(thats the whole point of HTTP - its user agent agnostic) without the form
knowing if it was really a browser or not. 

> As we do more and more business and system administration on-line and  
> through browsers and use more and more AJAX this sort of thing is  
> going to become more dangerous.

Again AJAX is just a simple extension to JS - it does not open more or less
security issues. Everything that AJAX can do, can be done without it. Of course
in IE AJAX is implemented as an active X control - a technology which allows
foreign code to run without _any_ security boundaries (so if you want ajax you
need to enable active X in IE - which is enabled by default). So JS is much
better than Active X in this respect.

> Hmmm...  I think there are fundamental flaws in javascript.  I still  
> use it though.

I would like to hear your thoughts - what fundamental (security) flaws do you
see in the JS model. (of course dont get me started on the actual JS language
itself, the syntax of which brings images of dogs' breakfasts to mind).

Michael.

More information about the linux mailing list