Re: Malicious HTML Threatens Web Users

by Doug Mason

10 February 2000 00:53 UTC

HI all. I added myself to the LW list four days ago. Now that the piefights are done with, I can see there are some powerful minds here. Great reading. Excellent charts.

Re: that virus scare. I thought it sounded like something that must have been possible for a long time, so I forwarded the URL to a genius friend who works in IT. His response to me follows; I think you'll find interesting: -------------------------------------------------------------------

This made a big splash on the security links on Feb 2.

A typical verbose Microsoft version can be found at:

http://www.microsoft.com/security/default.asp

A much better description can be found at CERT:

http://www.cert.org/

This is a really old problem - basically any good scripting language uses self-modifying code (like DCL, build a .COM then @s it). I ran into this in 1972 using APL on an SFU [Simon FraserUniversity] computer. There was this file called Backgammon and running it would change your password to "gotohell" and log you out. APL has an unquote and it was my first experience with self-modifying languages.

Self-modifying languages have trouble separating data from programs so if you can hack the data files (usually an easy attack) then get the site engine to run them as programs you can cause all sorts of mischief. Word and Excel macros and template files fall in this category that is why there are so many viruses for these products.

In HTML if you add a in the middle of your e-mail or submitted form. If there is no check for < or > the site engine will quite merrily go off and execute the ACTION verb. This has been part of HTML since day one!

I could not find out what happened on Feb 2 to raise the alarm (no one appears to have been hit or it is a secret because someone really big got hit). In any case "good" programmers always parse out the <> before they process the text. "Better" programmers log the offending URL and start to watch for attacks from that site. -

-- watching out 4 you (watchingout4you@watchinggg.xcom), February 09, 2000

Answers

CERT L ink

As of this post, site last updated Feb. 4. They make note of reports of DOS attacks. Who was getting hit? Smaller, insignificant sites? Could it have been a warm-up for the big ones like Yahoo, Ebay, Etrade, etc.? Time will tell if is this is a one time thing or an escalation in hostilities.

I am having doubts that this is caused by a bunch kids having fun, like I keep hearing on the 'Media'.

But, by tomorrow it may have turned out to be one more of those BsITR.

-- Kyle (fordtbonly@aol.com), February 09, 2000.

'bunch of kids'...I am glad I never chose a career as a proofreader.

-- Kyle (fordtbonly@aol.com), February 09, 2000.