[Gllug] Open Source Hardware User Group meeting on Thursday.

Wed May 12 23:52:41 UTC 2010

damion.yates at gmail.com wrote:
> On Wed, 28 Apr 2010, general_email at technicalbloke.com wrote:
>
>   
>> Dan Kolb wrote:
>>     
>>> On Tue, Apr 27, 2010 at 02:12:58PM +0100,
>>> general_email at technicalbloke.com wrote:
>>>   
>>>       
>>>> Actually there isn't if you are browsing with Javascript disabled -
>>>> does anyone browse with it enabled by default these days!?
>>>>         
>>> About 99.9% of people on the internet?
>>>       
>> But I'll wager considerably less on this list no? I'm surprised if
>> not, seeing as pretty much every security exploit out there leverages
>> either Javascript, Japa applets or Flash.
>>     
>
> Okay flash and Java have (even VERY recently) had actual exploits
> permitting arbitrary code execution.  Actually you're forgetting the
> numerous libjpeg and libpng exploits on just viewing malicious images!
> However which Javascript exploits are you talking about?
>
> Are you confusing poor html/js on websites permitting cross-site issues?
> Those only affect data related to those sites such as cookies or post
> data on a mistaken click you make.  Sure that cookie can let somebody
> log in as you, but that's whichever noddy poorly coded website's
> problem.  It doesn't 0wn your system or permit access to other important
> auth data/cookies for other domains*.
>
> Damion
>
> *excluding IE and Safari which both have had famously poor/insecure JS
> engines.  We're talking Linux so presumably Chromium with V8 JS Engine
> is what you have?
>   

I never claimed a particular Javascript VM was insecure in and of
itself, it could be a 100% bug free implementation with flawless
sandboxing and it would still be a liability to allow it to execute
anything and everything it comes across in your web browser. It simply a
bad policy to allow arbitrary scripting by default if you have anything
worth anything on your computer, Javascript, Actionscript, Active-X,
COBOL, whatever - it's a liability.

Javascript is leveraged in a huge number of exploits, often directing
peoples browsers to visit attack sites or to download/run poisoned
PDF/MP3/JPG/Whatever content. Recently it has been shown that several
popular PDF readers permit embedded Javascript to start embedded
executable code, that may be the vendors fault but it's still a problem
for your security.

I had to clear some malware off a clients website the other day, the
code the hackers had inserted wasn't HTML or Apache configs or even PHP
it was JS code which redirected visitors coming from google to a drive
by download site. A hacker doesn't even need to compromise a hosting
account to redirect ppl to his/her scuzzware server these days if he/she
can simply slip a little javascript into a website via a SQL injection
or an imperfecty sanitized forum post/comment.

And what makes you think XSS isn't all that serious a threat to you and
your data? Is somebody gaining control of your webmail session not a
serious threat to your security when you consider your webmail account
probably tells an attacker every website you are a member of, gives them
the means to reset the password for any of those sites and often
contains more than enough info for them to successfully spearfish and
pwn you ten times over if they so choose?

You also fail to mention another popular abuse of scripting, CSRF... How
do you like the idea of 3rd party scripts that can sneakily click
buttons in your PayPal account? Howabout harmless looking links that
reset your routers DNS to a malicious server in the Ukraine via it's web
interface?

Really these things, while they affect Windows users far more than
desktop linux users right now, are worth being aware of and, I think,
taking steps to mitigate against, especially as people seem so
determined to move everything into the "cloud".

And no I don't run Chromium, for a start you can't get no-script for it ;)

Roger.
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug