JavaScript opens doors to browser-based attacks

[Alec§taar]

Been stating it for years online (since 1997-1998, about script languages in browsers of ANY kind really) here:

http://www.avatar.demon.nl/page/index.html

That JavaScript is potentially dangerous, & to turn it off in your webbrowsers on the public internet (I never liked having to say that, but I knew it'd happen in combination w/ other tools working with it as a "blended threat")

JavaScript opens doors to browser-based attacks

http://news.com.com/JavaScript+open...3-6099891.html?part=rss&tag=6099891&subj=news

* Here we are today (and it's dead-on right):

"Attacks aren't widespread, Grossman said. "JavaScript malware is still cutting-edge, and nobody really knows what you can do with it," he said. "Liken it to the early days of an e-mail virus--that's where we're at now. I think we're going to see (many) more attacks.""

APK

 

[Aegis]

Too many websites use JavaScript for you to disable it without losing a lot of functionality. It's like trying to browse the web with images disabled, possible but not very enjoyable.

 

[Alec§taar]

Too many websites use JavaScript for you to disable it without losing a lot of functionality.

What? I disable it and run just fine... this site being just one example, I can cite quite a few more that run just fine w/out scripting turned on!

The only time (very few) I have seen hassles this way is sites than do logons & such in combination with Javascript, which is the minority in my experience (cookies for example, are in far larger use imo & experience online & omitting THEIR usage causes more hassles IMO & EXPERIENCE online).

SO, from my point-of-view/experience to sites I go to?

It is a minority (in fact, a rarity) of sites that use Javascript in such a manner that "I loose too much functionality" @ their sites... maybe e-commerce sites, but that is about it.

(And, I've been online for 12 years straight/solid, and this is the case - you can get along fine & do pretty much what you need online & NOT run java &/or javascript (or, activescript or activeX even))

It's like trying to browse the web with images disabled

Oh man, FAR FROM IT...

Your analog? IMO, both images & javascript being present (or not) ARE NOTHING alike, & not even remotely in the same league whatsoever as a comparison - not by a longshot!

Well, except that in NOT using them, you will surf faster... except imagery is necessary imo, but java/javascript are not.

possible but not very enjoyable.

I don't get it... do you like animations from adbanners & such or something? Because I don't allow those either (HOSTS FILES & Custom Cascading Style Sheets in combination with native to Opera adbanner blockers)... & I don't consider Adbanners function I need, far from it!

APK

P.S.=> Your statement, though your entitled to it, has no backup really (I do more of it in YOUR favor than you do man!)

It sounds like a particular website master I know who hates HOSTS files!

E.G.-> Said webmaster goes as far as saying that DNS resolutions from your ISP/BSP are as fast as that is or can be (custom hosts files URL resolving) which is, an outright lie... easily disproven no less via pings!

After all - it is SIMPLE to disprove, & custom hosts files not only block banner ad loads (speeding you up) but can be used to speed up URL resolution (showing a 30-60 fold ns speed boost simply thru ping or traceroutes) vs. using DNS inquiries!

(No, statements like that, easily disproven ones no less are more showing fear of a lack of bannerad payouts for views of them imo... makes sense (dollars & cents) from their point of view)

However, from mine? It's my bandwidth I pay for - I want ALL of it! I hit a site that no longer resolves? I edit my HOSTS file for it, get its TRUE (& now changed) IP, & edit it properly again with its current IP using notepad.exe & the fact your IP stack in Windows XP/Server 2003 is "PNP" driver based & user-mode restartable, no reboot required (however, in Windows 2000, you may have to reboot)... apk

 

[b1lk1]

Yes, I stay far away from javascript software and I always disable all of it. Great way to get a virus. No thanks and I too cannot stand all the BS that comes with it.

 

[Alec§taar]

Yes, I stay far away from javascript software and I always disable all of it. Great way to get a virus. No thanks and I too cannot stand all the BS that comes with it.

Good point!

I say this, because on the public internet, the use of javascripts & java in adbanners have been shown 2-4 times now in the past 2-3 years alone, that I know of, as harboring bogus script in it, that has done what you state - spread virus'!

If you want url's substantiating this, just ask, I have them bookmarked. Here is an example:

http://www.cgisecurity.com/articles/xss-faq.shtml

Here is another:

http://news.yahoo.com/s/nf/20060721/tc_nf/44765

(Those are only a couple, there have been quite a few more noting this happening!)

NOW, however:

For INTRANET programming, I can see using it, it is "safe" there, afaik... & sometimes, you're "stuck" with it if you can't duplicate a functionality w/out it.

(For sites that DEMAND I use javascript, I might turn it on, once I run it thru one of those detectors for malware script like McAfee has (not perfect, but better than nothing @ all)... & it shows as non-malicious. Then, I'll turn on scripting as needed by type required by the site, but that is all, & turn it off when I am doing doing whatever needs doing there!)

APK