February 4, 2000 1:20 PM PST
Hacking hazards come with Web scripting territory
- Related Stories
A question of safetyFebruary 19, 1998
If you've surfed the Web recently, you've almost certainly seen scripts at work performing some of the most common tasks of today's Web pages, from helping users search pages to scrolling text across the screen and launching new windows.
In the wake of a government advisory about a newly recognized Web scripting security threat, software providers fear scripting is getting a bum rap despite security protections built into the top scripting implementations.
The difference between scripting languages, which can be found on and off the Web, and computer programming languages like C++ or Fortran, is that scripting languages are interpreted, while programming languages are compiled. Compilers translate programming instructions written by humans into a language a microchip can understand.
With scripts, browsers essentially do that work on the fly.
Scripts are powerful enough, however, to do real damage when written maliciously. Both this week's government advisory and countless other exploits demonstrated by bug hunters on the Web have shown how hackers can take advantage of the flexibility and power of scripting to pry into Web surfers' private information, both in the browser and in other applications on the computer.
Chief among these bug hunters is the Bulgarian security consultant Georgi Guninski, who has numerous scripting exploits to his name for the major browsers provided by Microsoft and Netscape.
In a recent example, Guninski showed how Microsoft's Outlook Express mail reading application let a malicious user embed a script within a message to expose the mail of the targeted user while the initial message window remained open.
Guninski earned a steady income of $1,000 per bug from Netscape before the company brought him on board as a consultant last summer.
Security experts point out, however, that the government's advisory did not pinpoint any flaw on the scripting side of things, but rather with Web sites' implementation of forms that permitted the introduction of potentially malicious scripting tags.
Despite the frequency of scripting-related security problems, Microsoft stresses that the hazards come with the technology territory.
"There is always a balance between security and ease of use, and scripting is no exception," a Microsoft spokeswoman said. "It is up to each customer to decide what sites they want to allow to perform scripting and which they don't."
She noted that Internet Explorer's security zones let users classify sites according to whether they are known and trusted and therefore allowed to run scripts.
Netscape said that scripting is the safer of various alternatives because of its "sandbox" security model, which only allows the script to interact within certain boundaries on the site visitor's computer.
He added: "If it were native code running all the time, we wouldn't have the Web as we have it today. It would be one giant gaping security hole."
For example, Microsoft's ActiveX technology has been criticized for running code on computers while relying on a "trust" security model, in which ActiveX controls can execute native code provided the user has decided they trust the control's source.
Even with sandbox protections, however, Netscape said users should exercise caution in choosing which sites to visit.
"The best thing people can do in the face of this is not to talk to strangers," La Guardia said. "Don't go into dark alleys. There are bad places out there--and bad people. Stay away from them."