By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,594 Members | 3,680 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,594 IT Pros & Developers. It's quick & easy.

Javascript and security

P: n/a
Someone posted the following statement in another ng:

"One significant reason for disabling JavaScript when browsing the
Internet is that it is a definite security hazard to the user if they
have JavaScript enabled. There is a lot of malicious code on web
sites that uses JavaScript to infect the user's computer with
malicious code."

In my naive world, the statement is false. Am I correct? If not, could
someone sketch an example of how js can compromise a user's machine?
--
Ed Jay (remove 'M' to respond by email)
Jan 25 '08 #1
Share this Question
Share on Google+
9 Replies


P: n/a
Ed Jay wrote:
Someone posted the following statement in another ng:

"One significant reason for disabling JavaScript when browsing the
Internet is that it is a definite security hazard to the user if they
have JavaScript enabled. There is a lot of malicious code on web
sites that uses JavaScript to infect the user's computer with
malicious code."

In my naive world, the statement is false. Am I correct? If not, could
someone sketch an example of how js can compromise a user's machine?
There are plenty of security holes in browsers. The stack overflow in
various different media handlers is the most obvious. I don't personally
see how JavaScript increases the risk. It's just as easy to embed a
stack-overflow-causing jpeg without JavaScript as it is with it. Browser
JavaScript is basically running in a sandbox and has limited
capabilities. I can see why you might disable it to try and limit a
site's ability to track you via cookies, but cookies can be set from the
server in the response header anyway so even there it doesn't help too
much. The only real benefit I can think of to disabling JavaScript is to
stop it opening popup windows, but then popup blockers are standard
these days anyway.
Jan 25 '08 #2

P: n/a
On Jan 25, 1:42 pm, Stevo <ple...@spam-me.comwrote:
Ed Jay wrote:
Someone posted the following statement in another ng:
"One significant reason for disabling JavaScript when browsing the
Internet is that it is a definite security hazard to the user if they
have JavaScript enabled. There is a lot of malicious code on web
sites that uses JavaScript to infect the user's computer with
malicious code."
In my naive world, the statement is false. Am I correct? If not, could
someone sketch an example of how js can compromise a user's machine?

There are plenty of security holes in browsers. The stack overflow in
various different media handlers is the most obvious. I don't personally
see how JavaScript increases the risk. It's just as easy to embed a
stack-overflow-causing jpeg without JavaScript as it is with it. Browser
JavaScript is basically running in a sandbox and has limited
capabilities. I can see why you might disable it to try and limit a
site's ability to track you via cookies, but cookies can be set from the
server in the response header anyway so even there it doesn't help too
much. The only real benefit I can think of to disabling JavaScript is to
stop it opening popup windows, but then popup blockers are standard
these days anyway.
For the people who accept new info here is one link to a direct
infection caused by JavaScript http://groups.google.com/group/stopb...d/thread/5d418...
there are many more.

Daniel

http://a-ok-site.com
Jan 25 '08 #3

P: n/a
On Jan 25, 1:42 pm, Stevo <ple...@spam-me.comwrote:
Ed Jay wrote:
Someone posted the following statement in another ng:
"One significant reason for disabling JavaScript when browsing the
Internet is that it is a definite security hazard to the user if they
have JavaScript enabled. There is a lot of malicious code on web
sites that uses JavaScript to infect the user's computer with
malicious code."
In my naive world, the statement is false. Am I correct? If not, could
someone sketch an example of how js can compromise a user's machine?

There are plenty of security holes in browsers. The stack overflow in
various different media handlers is the most obvious. I don't personally
see how JavaScript increases the risk. It's just as easy to embed a
stack-overflow-causing jpeg without JavaScript as it is with it. Browser
JavaScript is basically running in a sandbox and has limited
capabilities. I can see why you might disable it to try and limit a
site's ability to track you via cookies, but cookies can be set from the
server in the response header anyway so even there it doesn't help too
much. The only real benefit I can think of to disabling JavaScript is to
stop it opening popup windows, but then popup blockers are standard
these days anyway.
Here is an example of JavaScript being used to spread malicious code
and there are many more.

http://groups.google.com/group/stopb...4187b832224f51

Daniel

http://a-ok-site.com
Jan 25 '08 #4

P: n/a
On Jan 25, 3:00 pm, "aoksi...@gmail.com" <aoksi...@gmail.comwrote:
On Jan 25, 1:42 pm, Stevo <ple...@spam-me.comwrote:
Ed Jay wrote:
Someone posted the following statement in another ng:
"One significant reason for disabling JavaScript when browsing the
Internet is that it is a definite security hazard to the user if they
have JavaScript enabled. There is a lot of malicious code on web
sites that uses JavaScript to infect the user's computer with
malicious code."
In my naive world, the statement is false. Am I correct? If not, could
someone sketch an example of how js can compromise a user's machine?
There are plenty of security holes in browsers. The stack overflow in
various different media handlers is the most obvious. I don't personally
see how JavaScript increases the risk. It's just as easy to embed a
stack-overflow-causing jpeg without JavaScript as it is with it. Browser
JavaScript is basically running in a sandbox and has limited
capabilities. I can see why you might disable it to try and limit a
site's ability to track you via cookies, but cookies can be set from the
server in the response header anyway so even there it doesn't help too
much. The only real benefit I can think of to disabling JavaScript is to
stop it opening popup windows, but then popup blockers are standard
these days anyway.

Here is an example of JavaScript being used to spread malicious code
and there are many more.

http://groups.google.com/group/stopb...d/thread/5d418...

Daniel

http://a-ok-site.com
And another from a different source
http://www.trendmicro.com/vinfo/viru...E%2EAQ&VSect=P

Daniel

http://a-ok-site.com
Jan 25 '08 #5

P: n/a
On Jan 25, 3:04 pm, "aoksi...@gmail.com" <aoksi...@gmail.comwrote:
On Jan 25, 3:00 pm, "aoksi...@gmail.com" <aoksi...@gmail.comwrote:
On Jan 25, 1:42 pm, Stevo <ple...@spam-me.comwrote:
Ed Jay wrote:
Someone posted the following statement in another ng:
"One significant reason for disabling JavaScript when browsing the
Internet is that it is a definite security hazard to the user if they
have JavaScript enabled. There is a lot of malicious code on web
sites that uses JavaScript to infect the user's computer with
malicious code."
In my naive world, the statement is false. Am I correct? If not, could
someone sketch an example of how js can compromise a user's machine?
There are plenty of security holes in browsers. The stack overflow in
various different media handlers is the most obvious. I don't personally
see how JavaScript increases the risk. It's just as easy to embed a
stack-overflow-causing jpeg without JavaScript as it is with it. Browser
JavaScript is basically running in a sandbox and has limited
capabilities. I can see why you might disable it to try and limit a
site's ability to track you via cookies, but cookies can be set from the
server in the response header anyway so even there it doesn't help too
much. The only real benefit I can think of to disabling JavaScript is to
stop it opening popup windows, but then popup blockers are standard
these days anyway.
Here is an example of JavaScript being used to spread malicious code
and there are many more.
http://groups.google.com/group/stopb...d/thread/5d418...
Daniel
http://a-ok-site.com

And another from a different sourcehttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5F...

Daniel

http://a-ok-site.com
btw... I am the one who posted in the other group.

Daniel

http://a-ok-site.com
Jan 25 '08 #6

P: n/a
ao******@gmail.com wrote:
btw... I am the one who posted in the other group.
And neither have you a single clue what you are talking about nor where you
are posting (else you would have obeyed the minimum of Usenet guidelines).

If you have to post further such FUD, post it to your Google group.
PointedEars
--
realism: HTML 4.01 Strict
evangelism: XHTML 1.0 Strict
madness: XHTML 1.1 as application/xhtml+xml
-- Bjoern Hoehrmann
Jan 25 '08 #7

P: n/a
ao******@gmail.com scribed:
>On Jan 25, 3:00 pm, "aoksi...@gmail.com" <aoksi...@gmail.comwrote:
>On Jan 25, 1:42 pm, Stevo <ple...@spam-me.comwrote:
Ed Jay wrote:
Someone posted the following statement in another ng:
"One significant reason for disabling JavaScript when browsing the
Internet is that it is a definite security hazard to the user if they
have JavaScript enabled. There is a lot of malicious code on web
sites that uses JavaScript to infect the user's computer with
malicious code."
In my naive world, the statement is false. Am I correct? If not, could
someone sketch an example of how js can compromise a user's machine?
There are plenty of security holes in browsers. The stack overflow in
various different media handlers is the most obvious. I don't personally
see how JavaScript increases the risk. It's just as easy to embed a
stack-overflow-causing jpeg without JavaScript as it is with it. Browser
JavaScript is basically running in a sandbox and has limited
capabilities. I can see why you might disable it to try and limit a
site's ability to track you via cookies, but cookies can be set from the
server in the response header anyway so even there it doesn't help too
much. The only real benefit I can think of to disabling JavaScript is to
stop it opening popup windows, but then popup blockers are standard
these days anyway.

Here is an example of JavaScript being used to spread malicious code
and there are many more.

http://groups.google.com/group/stopb...d/thread/5d418...

Daniel

http://a-ok-site.com

And another from a different source
http://www.trendmicro.com/vinfo/viru...E%2EAQ&VSect=P
Daniel, as I keep telling you in the html group, you are confusing errant js
on a web site with a user's computer being compromised. You keep citing
articles that clearly speak to web site hacking. The above citation states
quite clearly:

"This malicious Javascript is hosted on a Web site and run when a user
accesses the said Web site."

"It accesses Web sites to download files. As a result, malicious routines of
the downloaded files may be exhibited on the affected system."

And, as I've already mentioned, the user must execute the downloaded file to
infect his/her machine. It's the d/l file that causes havoc, not javascript.
If you follow the "Solution" link offered in your citation, it brings you
to:
<http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FIESLICE%2EAQ&VSect=Sn>,
in which there is no mention of disabling js to resolve or prevent the
problem.
--
Ed Jay (remove 'M' to respond by email)
Jan 25 '08 #8

P: n/a
On Jan 25, 3:17 pm, Thomas 'PointedEars' Lahn <PointedE...@web.de>
wrote:
aoksi...@gmail.com wrote:
btw... I am the one who posted in the other group.

And neither have you a single clue what you are talking about nor where you
are posting (else you would have obeyed the minimum of Usenet guidelines).

If you have to post further such FUD, post it to your Google group.

PointedEars
--
realism: HTML 4.01 Strict
evangelism: XHTML 1.0 Strict
madness: XHTML 1.1 as application/xhtml+xml
-- Bjoern Hoehrmann
Please read this

http://www.trendmicro.com/vinfo/viru...sp?VName=JS%5F...

and this

http://www.trendmicro.com/vinfo/viru...sp?VName=JS%5F...

It more clearly states the issue.

Daniel

http://a-ok-site.com
Jan 26 '08 #9

P: n/a
On Jan 25, 3:31 pm, Ed Jay <ed...@aes-intl.comwrote:
aoksi...@gmail.com scribed:
On Jan 25, 3:00 pm, "aoksi...@gmail.com" <aoksi...@gmail.comwrote:
On Jan 25, 1:42 pm, Stevo <ple...@spam-me.comwrote:
Ed Jay wrote:
Someone posted the following statement in another ng:
"One significant reason for disabling JavaScript when browsing the
Internet is that it is a definite security hazard to the user if they
have JavaScript enabled. There is a lot of malicious code on web
sites that uses JavaScript to infect the user's computer with
malicious code."
In my naive world, the statement is false. Am I correct? If not, could
someone sketch an example of how js can compromise a user's machine?
There are plenty of security holes in browsers. The stack overflow in
various different media handlers is the most obvious. I don't personally
see how JavaScript increases the risk. It's just as easy to embed a
stack-overflow-causing jpeg without JavaScript as it is with it. Browser
JavaScript is basically running in a sandbox and has limited
capabilities. I can see why you might disable it to try and limit a
site's ability to track you via cookies, but cookies can be set from the
server in the response header anyway so even there it doesn't help too
much. The only real benefit I can think of to disabling JavaScript is to
stop it opening popup windows, but then popup blockers are standard
these days anyway.
Here is an example of JavaScript being used to spread malicious code
and there are many more.
>http://groups.google.com/group/stopb...d/thread/5d418...
Daniel
>http://a-ok-site.com
And another from a different source
http://www.trendmicro.com/vinfo/viru...sp?VName=JS%5F...

Daniel, as I keep telling you in the html group, you are confusing errant js
on a web site with a user's computer being compromised. You keep citing
articles that clearly speak to web site hacking. The above citation states
quite clearly:

"This malicious Javascript is hosted on a Web site and run when a user
accesses the said Web site."

"It accesses Web sites to download files. As a result, malicious routines of
the downloaded files may be exhibited on the affected system."

And, as I've already mentioned, the user must execute the downloaded file to
infect his/her machine. It's the d/l file that causes havoc, not javascript.
If you follow the "Solution" link offered in your citation, it brings you
to:
<http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5F...>,
in which there is no mention of disabling js to resolve or prevent the
problem.
--
Ed Jay (remove 'M' to respond by email)

I apologize if this turns into a double post, but the links seemed
broken in the first.
Please read this

http://www.trendmicro.com/vinfo/viru...%2EAQ&VSect=Sn

and this

http://www.trendmicro.com/vinfo/viru...E%2EAQ&VSect=T

Daniel

http://a-ok-site
Jan 26 '08 #10

This discussion thread is closed

Replies have been disabled for this discussion.