CERT warning? What, me worry?
By: Coris Neme
The February 3 announcement by CERT of a major security hole that
affected
all Web browsers so badly that they recommended wiping all cookies and
browsing only known sites sounded bad--until I read the warning. I'm
writing
this article for one reason and one reason only: to dispel the FUD and
hysteria of this ludicrous "warning". I've seen e-mail virus hoaxes
that I
was more inclined to panic about.
The supposed danger here, cross-site scripting, is that malicious
JavaScript
code could appear on a Web page, a newsgroup posting, or an e-mail.
(Oh, my!
The horror!) You might want to restrain your shock; this isn't news.
Malicious scripts, unseen by the average user, have been possible since
scripting languages came into being. Poison JavaScript and nasty Java
applets
are nothing new under the sun. CERT is basically telling us that it's
1996
again.
To be fair, the warning goes into a little more detail: It says that
dynamically generated pages could launch JavaScript code
unintentionally. Mr.
Obvious, it's time for your wake-up call. Any page, dynamic or
static or anything in between, can contain malicious code. But if
you've
disabled the scripting language that the code uses, it's irrelevant
where the
code came from.
Another point the CERT warning raises is that this so-called malicious
code
could hide in frame and snoop data from another frame entirely. Sure,
if your
browser's buggy enough to allow such a thing. Dozens of such
vulnerabilities
have been removed from both Netscape and Internet Explorer; I think the
threat of one frame spying on another is just about over. But hey, if
it
really was '96 all over again, they'd have an excellent point.
While we're on the subject, why do e-mail and news clients even support
JavaScript, anyway? There's no legitimate purpose for it being there,
after
all, and it just serves as a way for someone to exploit the next big
implementation bug that pops up. Had CERT posted a recommendation that
all
future browsers remove scripting capabilities from their e-mail and
news
clients, I think the hacking community would have stood up and
applauded.
Shall we eradicate our entire cookie file, only browse the sites that
are in
our bookmarks, and never venture forth onto the Web again because of a
sudden
warning about a low-grade threat that's existed for nearly half a
decade and
for which many of the exploits have already been patched? The layman
and the
newbie are certainly being led to think so. I simply can't believe
their
recommended course of action--disable all scripting, don't browse
promiscuously, and get rid of all your cookies. (I usually wipe most of
my
cookies anyway, but there are a few I keep.)
I was surprised to see the news posted without so much as an editorial
about
how outdated and overblown the warning really is. This is 2000, not
1996.
Malicious code is still out there and yes, it still can get you; but
about
the most that it can do is overload your system and force a shutdown or
a
crash. (Poision JavaScript or Java that causes a crash is usually a
self-solving problem. Such code can be found and eliminated; it's not
stealthy.) It can't (usually) cause one frame to spy on another. It
can't
just arbitrarily steal data from your hard drive. It's as dangerous and
as
harmless in static pages as in dynamically-generated pages.
I think it would be nice to read the news Monday and see that the
media,
instead of repeating the warning blindly, was now telling the world
that the
hacking community had denounced the CERT warning for the ridiculous
paranoia
it really is. Or failing that, perhaps we could get the blueprints to
the
time machine from whence this message came, and in turn we could
deliver our
own Chicken Little alerts about events that came and went many years
ago.
(Brace yourselves; I feel a 1987 coming on.)
Coris Neme