The Threat That is the Internet
Jikto, the JavaScript web scanner, relied upon basic research conducted by an independent researcher who has now come out and released a conceptual description of how a major AJAX / JavaScript Internet worm would work and how it could be configured for greatest effect.
Using a set of common, well known building blocks, it will soon be possible to construct a worm that attacks the Internet, spreading by user contact (i.e. every page they visit), and which creates havoc across the Internet, rather than the relatively limited scope of worms such as Samy (MySpace) and Yamaner (Yahoo! Mail).
This relies upon the way that JavaScript is implemented in browsers and features of the language itself. In this case it is resulting in something that isn't so pleasant for end users, or has the risk of being not so pleasant, but there are other cases where vulnerabilities have been declared, when it is the expected behaviour of a system.
Apple's flagship Internet browser, Safari has been declared vulnerable to a JavaScript flaw that could allow a malicious site operator to see what links are being clicked on from the site. Before rushing off to Apple to complain, consider that it is possible, using JavaScript or CSS (for those who surf with JavaScript disabled), to determine where a site visitor has been. Also consider that many sites (Information Security sites included) use formatted links that temporarily direct to an interstitial page before going to the desired location. This allows them to track where their visitors are going and also allows another opportunity to throw advertising in front of the site visitor.
Now to the 'vulnerability'. Unfortunately for the discoverer, and for the Information Security companies that have jumped on the discovery with glee, what Safari is doing is actually the expected behaviour. In the described situation, and the demonstrated proof of concept, the site coder has configured their anchor link <a> to trigger a JavaScript function which then loads the desired link in a new window (target="blank" is so much easier). Once the window has opened, the function continues to run and references a subsequent function, which references the opened window and identifies the URL.
In JavaScript, if a new window has been opened from a page, JavaScript can be used to perform various manipulations on the new window, and the same can be done from the spawned window.
The fact that the script continues to run in the original window and then referencing a known parameter of the new window is nothing new. It is not a vulnerability.
20 May 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.