[Sussex] JavaScript is no longer secure: TURN IT OFF NOW!

Steven Dobson steve at dobson.org
Mon Aug 14 11:37:56 UTC 2006


On Mon, 2006-08-14 at 11:33 +0100, Colin Tuckley wrote:
> Jon Fautley wrote:
> 
> > I'm not so sure he is - Al makes a good point. All you can do with this
> > code is exploit misconfigured devices. If you allow misconfigured
> > devices on your network, there are many other avenues of attack.
> 
> I'm inclined to agree. Steve was right to bring it to peoples attention, but
> the way he did it smells of scaremongering to me. That is *not* the right
> way to do things on a list like this.

Scaremongering was not my intent.  However, according to [1] there are
now over one billion (1,000,000,000) people on the Internet.  If we
assume one computer for every two people that 500 million computers.  If
only a a tenth of one percent of those computers are vulnerable to this
kind of attack that still 50,000 computers!  That's a sizable army of
spam bots.

I concider this a problem because I'm a programmer.  I'm not a
JavaScript developer so I don't know what the restrictions are with the
JavaScript sandbox.  However I do not two things now:
    
   1). The JavaScript scanbox (unlike the Java one) does not limit 
       untrusted script to making connections to the host that served
       it, and

   2). As a developer I have been asked to solve problems that where not
       known to be solveable and I found solutions.  And I am have to 
       assume that there are virus developers out there that are better
       then me at programming.

I trust a lot of people.  I generally think it is okay to trust people
on mass.  A crowd is more trustworth than a single stanger because, I
believe, that people are generally trustworthy and untrustworthy people
will get found out in a crowd.  That is way I trust the Debian
Developers and do not pour over every line of code in a package before
installing it.

But going to a website is like dealling with that single person - the
security of the crowd isn't present.  Apparently 10% of all results
returned by Google are of sites that contain some kind of spyware,
malware, or virus...

When I added all these bits of knowledge together I reach a point where
I concider client side scripting to be a risk.  You may not, but I don't
want to take the risk that some smart virus developer can't find a way
to break my security using JavaScript.  So I've disabled JavaScript in
my broswer.

I've heard some say that the biggest scaremongering of all time way Y2K.
I don't believe so.  The company I worked for employed one guy for three
years just to look at our systems and get them Y2K ready.  As a result
Y2K was not a problem for either the systems we used or for the ones we
have delivered to clients.  That company concidered that cost well worth
it.

Did planes not fallout of the sky, did medical systems not stop working
because Y2K was a hokes or because companies identified any problem
system _before_ the event and took the approprate action?  I think the
later.

The best reasoning I heard on taking perventive action was from a
medical doctor.  When there was all that problem with the triple vaccine
he pointed out that a very small percentage of people couldn't be
vaccinated againt one of the diseases (can't remember which one).  What
those people needed was everyone else to be vaccinated, because for a
disease to be come an epidemic it had to infect a certain percentage of
the population, and the number of people who couldn't be vaccinated was
below this threshold.

So should you disable JavaScript too?  That is you're dicision to make,
just like it is your dicision to vaccinate your kids against infectious
diseases or not.

Steve

[1]
http://www.internetworldstats.com/stats.htm


http://www.spidynamics.com/spilabs/education/articles/JS-portscan.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.lug.org.uk/pipermail/sussex/attachments/20060814/6c12a393/attachment.pgp 


More information about the Sussex mailing list