Copy Link
Add to Bookmark
Report
CERT Advisory 152
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
CERT* Advisory CA-97.20
Original issue date: July 8, 1997
Last revised: -- July 11, 1997 - Updated Appendix A with vendor information
for vulnerable browers.
A complete revision history is at the end of this file.
Topic: JavaScript Vulnerability
- -----------------------------------------------------------------------------
The CERT Coordination Center has received reports of a vulnerability in
JavaScript that enables remote attackers to monitor a user's Web activities.
The vulnerability affects several Web browsers that support JavaScript.
The vulnerability can be exploited even if the browser is behind a firewall
and even when users browse "secure" HTTPS-based documents.
The CERT/CC team recommends installing a patch from your vendor or upgrading
to a version that is not vulnerable to this problem (see Section III. A).
Until you can do so, we recommend disabling JavaScript (see Section III.B).
We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to your site.
- -----------------------------------------------------------------------------
I. Description
Several web browsers support the ability to download JavaScript programs
with an HTML page and execute them within the browser. These programs
are typically used to interact with the browser user and transmit
information between the browser and the Web server that provided the
page.
JavaScript programs are executed within the security context of the page
with which they were downloaded, and they have restricted access to other
resources within the browser. Security flaws exist in certain Web
browsers that permit JavaScript programs to monitor a user's browser
activities beyond the security context of the page with which the
program was downloaded. It may not be obvious to the browser user that
such a program is running, and it may be difficult or impossible for the
browser user to determine if the program is transmitting information
back to its web server.
The vulnerability can be exploited even if the Web browser is behind a
firewall (if JavaScript is permitted through the firewall) and even when
users browse "secure" HTTPS-based documents.
II. Impact
This vulnerability permits remote attackers to monitor a user's browser
activity, including:
* observing the URLs of visited documents,
* observing data filled into HTML forms (including passwords), and
* observing the values of cookies.
III. Solution
The best solution is to obtain a patch from your vendor or upgrade to a
version that is not vulnerable to this problem. If a patch or upgrade is
not available, or you cannot install it right away, we recommend
disabling JavaScript until the fix is installed.
A. Obtain and install a patch for this problem.
We are currently in communication with vendors about this problem.
See Appendix A for the current information. We will update the
appendix when we receive further information.
B. Disable JavaScript.
Until you are able to install the appropriate patch, we recommend
disabling JavaScript in your browser. Note that JavaScript and Java
are two different languages, and this particular problem is only with
JavaScript. Enabling or disabling Java rather than JavaScript will
have no affect on this problem.
The way to disable JavaScript is specific to each browser. The
option, if available at all, is typically found as one of the Options
or Preferences settings.
........................................................................
Appendix A - Vendor Information
Below is information we have received from vendors. We will update this
appendix as we receive additional information.
Microsoft
=========
Microsoft Internet Explorer 3.* and 4.* are vulnerable. Microsoft has
announced their patch plans for this problem at:
http://www.microsoft.com/ie/security/update.htm
Netscape
========
Netscape Navigator/Communicator versions 2.*, 3.* and 4.* are vulnerable.
See:
http://www.netscape.com/flash4/assist/security/index.html
for details.
- -----------------------------------------------------------------------------
The CERT Coordination Center thanks Vinod Anupam of Bell Labs, Lucent
Technologies, for identifying and analyzing this problem, and vendors for
their support in responding to this problem.
- -----------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see http://www.first.org/team-info/).
CERT/CC Contact Information
- ----------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
Using encryption
We strongly urge you to encrypt sensitive information sent by email. We can
support a shared DES key or PGP. Contact the CERT/CC for more information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
Getting security information
CERT publications and other security information are available from
http://www.cert.org/
ftp://info.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
- ---------------------------------------------------------------------------
* Registered U.S. Patent and Trademark Office.
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.
The CERT Coordination Center is part of the Software Engineering Institute
(SEI). The SEI is sponsored by the U.S. Department of Defense.
- ---------------------------------------------------------------------------
This file: ftp://info.cert.org/pub/cert_advisories/CA-97.20.javascript
http://www.cert.org
click on "CERT Advisories"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history
July 11, 1997 - Updated Appendix A with vendor information
for vulnerable browers.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBM8YyDnVP+x0t4w7BAQEF5wQAwN30B9mTu296cobg+unDmcLbNZemZxXB
6e3vsMIrE7q/1ap3TT4P9QJg+QZCa0uW8Zj6vcaRA1CEQIJqab+yx6L/7rlg5EeN
iy/jzixnRQbz/Xtq2A0l0auD5dpoRm6+hPZxb9RSxprPF2vDCTecjZ9oaweDlJsC
L0jSV06EWjg=
=a+6f
-----END PGP SIGNATURE-----
