[clug] Drive-By Pharming Attack Could Hit Home Networks
michael.cohen at netspeed.com.au
Sun Feb 18 22:10:55 GMT 2007
On Sun, Feb 18, 2007 at 08:49:32PM +0100, Kim Holburn wrote:
> I seem to remember that java was designed with security in mind but I
> basically based on the idea of java and has grown rather like topsy
> ever since (and been embraced and extended ;-). There are different
syntax and structure, but ultimately its merely another (somewhat weird
looking) turing equivalent language. The problems you mentioned are
fundamental to the whole web model - i.e. how is it possible to have code
downloaded from the net and have that code execute but limit its ability to
touch other code downloadeded from the net.
This is a hard problem because the web is not a constant, the way people want
to use the internet changes all the time. The single site/single script
contex model is one way of trying to define security boundaries (java applets
btw use the same model too). Sometimes it works, often it doesnt (purely
because evildoers deliberately exploit those situation in which it doesnt
> No-one seems to have thought of this scam yet but I expect you will
> see it.
Phishing scams and adwares have thought of just about anything to get their
scams up - I am sure they will use the original exploit described in the
> could the browser really test for this? JS can hijack all the links
> on a page, it can create a link that will appear to a cgi script that
> someone filled in a correct username and password and changed
> settings. If it can't open a page from another site it can entice
> you to open it and make the page look like something else. It can
> make a page that gets all it's resources from another site.
all do that. In fact that is the whole point of web side scripting - to be able
to manipulate the DOM, create new nodes, and test for existing nodes.
- interact with the user. In fact any code can sumbit anything to a cgi form
(thats the whole point of HTTP - its user agent agnostic) without the form
knowing if it was really a browser or not.
> As we do more and more business and system administration on-line and
> through browsers and use more and more AJAX this sort of thing is
> going to become more dangerous.
Again AJAX is just a simple extension to JS - it does not open more or less
security issues. Everything that AJAX can do, can be done without it. Of course
in IE AJAX is implemented as an active X control - a technology which allows
foreign code to run without _any_ security boundaries (so if you want ajax you
need to enable active X in IE - which is enabled by default). So JS is much
better than Active X in this respect.
> use it though.
I would like to hear your thoughts - what fundamental (security) flaws do you
see in the JS model. (of course dont get me started on the actual JS language
itself, the syntax of which brings images of dogs' breakfasts to mind).
More information about the linux