CERT warning? What, me worry?

The February 3 announcement by CERT of a major security hole that affected all Web browsers so badly that they recommended wiping all cookies and browsing only known sites sounded bad--until I read the warning. I'm writing this article for one reason and one reason only: to dispel the FUD and hysteria of this ludicrous "warning". I've seen e-mail virus hoaxes that I was more inclined to panic about.

The supposed danger here, cross-site scripting, is that malicious JavaScript code could appear on a Web page, a newsgroup posting, or an e-mail. (Oh, my! The horror!) You might want to restrain your shock; this isn't news. Malicious scripts, unseen by the average user, have been possible since scripting languages came into being. Poison JavaScript and nasty Java applets are nothing new under the sun. CERT is basically telling us that it's 1996 again.

To be fair, the warning goes into a little more detail: It says that dynamically generated pages could launch JavaScript code unintentionally. Mr. Obvious, it's time for your wake-up call. Any page, dynamic or static or anything in between, can contain malicious code. But if you've disabled the scripting language that the code uses, it's irrelevant where the code came from.

Another point the CERT warning raises is that this so-called malicious code could hide in frame and snoop data from another frame entirely. Sure, if your browser's buggy enough to allow such a thing. Dozens of such vulnerabilities have been removed from both Netscape and Internet Explorer; I think the threat of one frame spying on another is just about over. But hey, if it really was '96 all over again, they'd have an excellent point.

While we're on the subject, why do e-mail and news clients even support JavaScript, anyway? There's no legitimate purpose for it being there, after all, and it just serves as a way for someone to exploit the next big implementation bug that pops up. Had CERT posted a recommendation that all future browsers remove scripting capabilities from their e-mail and news clients, I think the hacking community would have stood up and applauded.

Shall we eradicate our entire cookie file, only browse the sites that are in our bookmarks, and never venture forth onto the Web again because of a sudden warning about a low-grade threat that's existed for nearly half a decade and for which many of the exploits have already been patched? The layman and the newbie are certainly being led to think so. I simply can't believe their recommended course of action--disable all scripting, don't browse promiscuously, and get rid of all your cookies. (I usually wipe most of my cookies anyway, but there are a few I keep.)

I was surprised to see the news posted without so much as an editorial about how outdated and overblown the warning really is. This is 2000, not 1996. Malicious code is still out there and yes, it still can get you; but about the most that it can do is overload your system and force a shutdown or a crash. (Poision JavaScript or Java that causes a crash is usually a self-solving problem. Such code can be found and eliminated; it's not stealthy.) It can't (usually) cause one frame to spy on another. It can't just arbitrarily steal data from your hard drive. It's as dangerous and as harmless in static pages as in dynamically-generated pages.

I think it would be nice to read the news Monday and see that the media, instead of repeating the warning blindly, was now telling the world that the hacking community had denounced the CERT warning for the ridiculous paranoia it really is. Or failing that, perhaps we could get the blueprints to the time machine from whence this message came, and in turn we could deliver our own Chicken Little alerts about events that came and went many years ago. (Brace yourselves; I feel a 1987 coming on.)