[Sussex] JavaScript is no longer secure: TURN IT OFF NOW!

Steven Dobson steve at dobson.org
Sun Aug 13 13:53:49 UTC 2006


On Sun, 2006-08-13 at 13:39 +0100, Paul Howard wrote:
> Found a lot of things that don't exist when I run it. My home network
> has 5 machins on it right now but the scanner detected about 60
> deperate "true" conditions - it did catch all the ones that exist but
> it also made up a lot that didn't. 

For me here the important think is that a proper JavaScript program can
scan your network.  What is to stop a cracker writing one that connects
to your file wall and re-configures.  What protection is your firewall
worth now?  From a security perspective this is a problem.  No scripting
is safe.  Do you really want to trust the web sites you visit not to
mess with your network?  That's not a bet I'll make.

In other news, Google has teamed up with the Stop Badware Coalition to
report which of the results they return to your query have concerns
about "spyware, malware, or just sort of generic badware".  If you
follow a link which is belived to be "bad" then you will be first
directed to a page warning you.  In a study they did a few months ago
10% of search results are of sites that have this collision of known
badware.

Steve

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20060813/d909bc7e/attachment.pgp 


More information about the Sussex mailing list