'ware

The Head Lemur sent me the link to this important story about a security threat based on JavaScript. This is a tough type of event to prevent, because it is increasingly difficult to turn JS off–so much of online content is JS dependent.

Typically most attacks of this nature will occur because malicious script is embedded into a web site through a cross-site scripting attack (XSS). The only way to prevent these is to scrub your form entry fields to make sure script or other unwanted material isn’t getting through. (Which reminds me that I have to check my new sites’ comments, to make sure these are ‘clean’.)

This is a threat, but I would say it’s of secondary concern compared to some others. No, don’t shoot me. It requires that a lot of factors be in place before it can work: your router not have password protection, your printers always be on and have a built-in web server and so on. The more sophisticated your home network, the more vulnerable you are. However, the more sophisticated the home network, the more we have to assume you know how to protect such network.

Still, not sure what we can do so plug such breaks. Would be a shame to start crippling JavaScript, just when it started to get interesting. As for ‘firewalling’ the browser, I agree that browsers need to make us more aware of what is happening behind the scenes. I’m also all for extensions such as Firefox’s NoScript to ‘whitelist’ JavaScript sites (though XSS can make this mute if the whitelisted site provides openings for malicious JavaScript insertion.)

(Slashdot coverage. Original press release and white paper on the exploit.)

This entry was posted in Stuff. Bookmark the permalink.

Comments are closed.