OT (Online Topic) Top Experts Warn of Serious New Web Surfing Riskgreenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread |
[Fair Use: For Education and Research Purpose Only]Top Experts Warn of Serious New Web Surfing Risk By Ted Bridis Associated Press Writer
WASHINGTON (AP) - The nation's top computer experts warned Internet users Wednesday about a serious new security threat that allows hackers to launch malicious programs on a victim's computer or capture information a person volunteers on a Web site, such as credit card numbers. The threat, dubbed "cross-site scripting," involves dangerous computer code that can be hidden within innocuous-looking links to popular Internet sites. The links can be e-mailed to victims or published to online discussion groups and Web pages.
-snip- (Please go to link for full story)
-- Dee (T1Colt556@aol.com), February 02, 2000
Dee:You are an expert at limiting a thread. Only an incredibly stupid person would try this link after your explanation ;o).
Best wishes,,,
Z
-- Z1X4Y7 (Z1X4Y7@aol.com), February 02, 2000.
LOL Z Good point! =)And now for the rest of the story....******************
The vulnerability was especially unusual because it is not limited to software from any particular company. Any Web browser on any computer visiting a complex Web site is at risk.
No one apparently has been victimized yet. But the risks were described as potentially so serious and affected such a breadth of even the largest, most successful Web sites that the industry's leading security group said nothing consumers can do will completely protect them.
Only a massive effort by Web site designers can eliminate the threat, according to the CERT Coordination Center of Carnegie Mellon University and others. Software engineers at CERT issued the warning Wednesday together with the FBI and the Defense Department.
The problem, discovered weeks ago but publicly disclosed Wednesday, occurs when complex Internet sites fail to verify that hidden software code sent from a consumer's browser is safe.
Experts looking at how often such filtering occurred found that Internet sites failing to perform that important safety check were "the rule rather than the exception," said Scott Culp, the top security program manager at Microsoft.
"Any information that I type into a form, what pages I visit on that site, anything that happens in that session can be sent to a third- party, and it can be done transparently," Culp warned. He added: "You do have to click on a link or follow a link in order for this to happen."
The dangerous code also can alter information displayed in a consumer's Web browser, such as account balances or stock prices at financial sites. And it can capture and quietly forward to others a Web site's "cookie," a small snippet of data that could help hackers impersonate a consumer on some Internet pages.
"It really goes across a huge number of sites," said Marc Slemko, a Canadian software expert who studied the problem. Slemko said Internet-wide repairs will be "a very, very major undertaking."
In the interim, experts strongly cautioned Internet users against clicking on Web links from untrusted sources, such as unsolicited e- mail or messages sent to discussion forums.
They also recommended that consumers at least consider preventing their Web browser software from launching small programs, called scripts. But they acknowledged that many Internet sites require that function to operate.
"A large number of sites simply aren't usable" without those functions, Slemko said.
Microsoft said it planned to publish full details and step-by-step instructions for consumers at its Web site, www.microsoft.com/security.
-- Dee (T1Colt556@aol.com), February 02, 2000.
---just **&^%$% great! Not! I do hereby name it-- BS2K-Bad Script 2000...and now I go to hit the e-vile form submit button....
-- zog (zzoggy@yahoo.com), February 02, 2000.
"They also recommended that consumers at least consider preventing their Web browser software from launching small programs, called scripts. "I'm using MSIE ver 4.72.3110.8. The only option I can find dealing with scripts is "Disable script debugging" under [View][Internet Options][Advanced]. So how would one disable script launching?
-- Tom Carey (tomcarey@mindspring.com), February 02, 2000.
Thanks for the link Dee,System admins, site designers, web programmers and others with a vested interest should be paying attention on this one. No, it's not the end of the world, but it is likely to be a thorn in your side if your job involves web sites...
Here's the CERT Advisory:
CERT. Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests Here's what Microsoft is saying:
Informati on on Cross-Site Scripting Security Vulnerability
Quick Start: What Customers Can Do to Protect Themselves from Cross-Site Scripting
Cross-Sit e Scripting Security Exposure Executive Summary
Cross-Si te Scripting: Frequently Asked Questions
HOWTO : Prevent Cross-Site Scripting Security Issues (TechNet) Do you run Apache:
Apache: Cross Site Scripting Info
Or Sun:
S un Microsystems: CERT Advisory CA-2000-02
-- Arnie Rimmer (Arnie_Rimmer@usa.net), February 02, 2000.
Here's an interesting and vaguely familiar quote from the Apache site:"We would like to emphasize that this is not an attack against any specific bug in a specific piece of software. It is not an Apache problem. It is not a Microsoft problem. It is not a Netscape problem. In fact, it isn't even a problem that can be clearly defined to be a server problem or a client problem. It is an issue that is truly cross platform and is the result of unforeseen and unexpected interactions between various components of a set of interconnected complex systems."
-- Arnie Rimmer (Arnie_Rimmer@usa.net), February 02, 2000.
LOL ZogTom and Arnie...thank you for your additional information on this thread. I concur Arnie--this release deserves a close LQQK.
-- Dee (T1Colt556@aol.com), February 02, 2000.
"Any information that I type into a form, what pages I visit on that site, anything that happens in that session can be sent to a third- party, and it can be done transparently," Culp warned. He added: "You do have to click on a link or follow a link in order for this to happen."Let me see if I understand this. This very serious problem is associated with one of the most fundamental and useful tools of the Web: links. A user has no way of defending themselves against it except for (a) disabling scripts (and functionality) in their browser or (b) not engaging in "promiscuous browsing" (aka, surfing the Web). Is that about the size of it?
Can't imagine why anyone would be concerned...
-- DeeEmBee (macbeth1@pacbell.net), February 02, 2000.
They also recommended that consumers at least consider preventing their Web browser software from launching small programs, called scripts. But they acknowledged that many Internet sites require that function to operate."A large number of sites simply aren't usable" without those functions, Slemko said.
Depending on companies, their webmaster/programmers to install meaningful security measures at the expense of gathering information from you (for their use or for sale) is like depending on the government to confine itself to just counting your numbers for the census instead of asking all those unconstitutional and intrusive questions.
Just say NO to Java, VBScript (and to a a lesser extent Javascript). If a web site requires those, and you can find an e-mail address to them, send them an e-mail through your disposable Hotmail account telling them to f*off. Ditto with cookies. It isn't going to kill you to re-enter your credit card number on Amazon rather than storing it in your cookie file which I suspect can be read by anyone with larceny at heart, all the e-commerce protestations to the contrary.
-- A (A@AisA.com), February 03, 2000.
Well, Arnie, Microsoft strikes again.Okay -- I went to Quick Start: What Customers Can Do to Protect Themselves from Cross-Site Scripting
Since I'm using MSIE 4.72.3110, my instructions are:
IE 4.x:
1 Choose the "View" entry from the menu bar, then "Internet Options". Select the "General" tab.
2 Click the "Restricted Sites" icon, then "Custom Level".
3 In the "Security Settings" dialogue, scroll down the list of settings until the you see "Scripting". Immediately below it will be "Active Scripting". Click on the "disable" button for "Active Scripting". When asked to confirm the change, answer "yes".
4 Click OK to return to IE.
Looks simple enough. Did step 1. Piece of cake.
Oops. Step 2 was impossible, since no "Restricted Sites" icon appears there.
The "General" tab allows me to change the home page assignment, to delete temporary internet files (and change settings for their management), and to delete the "History" files (or change the term they're kept in memory). Options also exist for setting fonts, colors, languages and accessibility (modifies formatting only). Nowhere here is any mention of "Restricted Sites" or anything similar.
The other tabs available are "Security," "Content," "Connection," "Programs," and "Advanced." None of these contain any reference to "Restricted Sites."
Who are these people at Microsoft? I understand they're paid very well -- but what for?
-- Tom Carey (tomcarey@mindspring.com), February 03, 2000.
To disable stuff in Internet Explorer click on the following: View Internet Options Security Tab Select Restricted Zone from the Zone Customize Settings then disable everything having to do with ActiveX and scripting; optionally also disable Java (although the most risk is with ActiveX) Click on OK ApplyJava is not as dangerous as ActiveX because unsigned applets (most of the applets you'd ever encounter) run in a restricted sandbox which prevents them from accessing your file system or connecting to remote sites other than the one it came from. ActiveX controls can do anything on your machine.
Note that you can reset back to the regular "Internet Zone" or alternately recostumize to reenable these features.
-- slza (slza@erols.com), February 09, 2000.