Comments on: JavaScript opens doors to browser-based attacks

Malicious code embedded in Web site can let miscreant map a home or corporate network, attack connected devices.

[emancipated]

too bad, oh well

Disappointed, not surprised. Item provides weekend reading material.

[superdave132]

limited user mode

would running in limited user mode prevent such attacks?

[umbrae]

No...

Even a limited user can run javascript. The only limited access that would avoid this would be one that does not allow you to surf the internet, or logon to the computer at all.

[OneWithTech]

Thank you for confirming...

....what I have suspected and came to learn of before this article was released. And if you all think that is the only JavaScript manipulation attack that can be mustered up just wait.

I have been studying JavaScript extensively as part of my Web Development regime and am finding more and more way's to manipulate it for evil than for good! And you though cookies were harmless!

J Gund
Tech01
www.tech01.net

[Anysia]

NoScript Extension w/ Firefox

Totally disabling JavaScript won't work but you can pick what sites/sources to allow JavaScript. Guess it's not just an extension to speed up surfing and blocking some annoying ads.

[nrlz]

extension reveals lacks in Firefox?

Think about it. If Noscript really improves security, it would have long since been included into Firefox. The Anti-Phishing extension by Google, that first debuted a couple of months ago, has already been selected for inclusion into Firefox 2.0. This either shows that Noscript is not all it's cracked up to be or Firefox programmers really don't know the first thing about security.

[brodda2]

Why Use a MacBook?

Are they suggesting that OS-X machines are vunerable to Java-
script attacks or was that just a poor choice on the graphic
artist's part?

[aclottmann]

Why not?

From the story, it seems that all operating systems are vulnerable
to this kind of attack. All that's required is that the user has
JavaScript enabled on their browser. I'm sure that the choice of the
MacBook in the graphic was only because it looks cool, not because
Apple machines are any more or less affected by these kinds of
attacks than anyone else.

[MaxiSteel]

A change is needed

This is very scary. I think that the entire methode of web browesing should be re-engineered as in IPV6 for communications, to be become a trusted application.

Users are having to accept patches to problems when they are wanting REAL solutions.

Society actualy cares, but is not able to cope with the ever increasing speed of tech and lack of knowledge of the same.

Maxi

[Jackson Cracker]

Turning off Javascript isn't that bad

I've found that a number of sites, including some shopping
sites, work just fine without Javascript. I think it makes
more sense to have Javascript turned off by default and then
only activate it when really necessary.

[wbenton]

Java is a script and known to be vulnerable

That said... why do SO MANY pages on the internet require Javascript to be enabled to browse them.

If you want to view a link... it can be done in HTML... no need to use Javascript... but many do.

Javascript looses readers... especially those like me because I don't allow javascript for just anybody. There must be a reason.

But if that reason is because some bloody javascript crazy programmer decided to use javascript rather than just plain HTML... then I don't view that site and I also voice my opinion against that site to all of my buddies.

Javascript needs to be used with care... only when required... not just when desired.

And if you haven't figured it out yet... I block ALL javascript by default. And must have sound reasoning why to unblock it.

Sadly however... much of the internet doesn't understand the vulnerabilites of it and thus programs javascript for everything.

Walt

[mng2000]

Don't blame Javascript, blame its abuser

Javascript was invented with good intention. It allows developers to provide users with better browsing experience. Just like anything else in this world, abusers will find a way to do bad things with great inventions. Case in point: a knife. Should we stop producing kitchen knives because some bad people may use them to hurt someone? Or should we find other ways to prevent bad people from using a knife (like lock them up)?

Personally, my solution would be to improve both Javascript and browsers to keep abusers from doing any harm rather than disabling Javascript.

Hey, you drive to work, don't you? Would you rather walk to work instead because it's better for the environment? Or would you rather drive a more environment-friendly car such as a hybrid?

[jbrunken]

Wrong...

I think you need to educate yourself a bit more on the reasons for using javascript before you condem web programmers for using it.

There are many many reasons for using javascript that have nothing that make it compelling to use, not to mention that it's a core piece of most of the main stream web development platforms.

I love how web users continually demonize technologies (usually based on a small amount of bad press) without any true understanding of what benefits those technologies provide. First it was "evil cookies", now it's "evil javascript".

Could the web be built without things like javascript and cookies? Absolutely, but it would be a lot less functional and sadly the same group of people would probably be the ones to complain about how non-user friendly many sites would become.

I'd prefer to keep things in perspecitve and not throw the baby out with the bathwater...

[wadechandler]

I think we should use the correct name [Java is not the same as JavaScript]

This is a common mistype which simply leads people down yet another path of techno bash and confusion. This message is talking about JavaScript and not Java just for the record.

[maxwis]

First ActiveX, Now This

So we dumped MS IE in favor of Firefox or Opera to browse more securely. We eschewed ActiveX because it was a threat to security. Now we find out that Javascript, which is even more pervasive than ActiveX, is just as bad. Sure, you can disable Javascript, but then almost every site you visit is going to fail in some way. Good luck trying to checkout from online shopping as your cart crashes and burns. Also, as the CNET story points out, even if you only allow Javascript on trusted sites, if those sites are hacked due to poor security then you are at risk too. This seems a totally unworkable solution. I think what is needed is an Internet appliance, akin to a hardware firewall, that uses a limited, hardened OS. All web browsing would be done through a proxy that communicates with the appliance.

[deko]

Keeps programmers employed

JavaScript is a staple of the Internet, that much is sure. I couldn't even log in to post this reply without JavaScript enabled.

Seems to me a solution needs to be built into the browser rather than something external. For example, anytime a script attempts to do anything outside of a pre-defined security context, a confirmation dialog is received. This way if you want a script to log into your broadband router and turn off the firewall, you can let it. Perhaps the browser could also flag a site a "unsafe" if it trys anything funny.

Users of Windows Live OneCare are familiar with these kind of alerts - when an application attempts to access the Internet. Why not apply the same logic to the browser?

How difficult can it be to put a fence around a script (letting the user define its boundries) and require a user confirmation when action is initiated beyond that fence?

[mycall0]

VMware

Here is one powerful solution: use free VMware and one of the free virtual machines (http://www.vmware.com/vmtn/appliances/) to do your websurfing. Even if it is 0wn3d, the virtual networking will sandbox the scanning of your real network.

[ralfthedog]

Will not work

VMware will protect against attacks to your computer. It will not prevent your computer from sending stuff out. This story is about an exploit that lets java mess with other devices on your network (Turn off the firwall built into your router, get your DSL modem to start dialing 911, sutff like that.)

[umbrae]

The TRUTH about Firefox

Disabling JavaScript in Firefox does, in fact, block this request. I have no experience with the NOSCRIPT "3rd Party" extension for Javascript, but this is a "3rd Party" tool and does not reflect upon any of the "core" Firefox development team. Regardless of what Google tools Mozilla decides to include in 2.0.

Please understand how a browser works and is developed before you lay claims to what they do and do not know.

Once again, you can uncheck "Enable Javascript" in Firefox and it will block this exploit.