httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chad A Gard <g...@indy.net>
Subject Re: [users@httpd] JAVASCRIPT VIRII - myth? or fact?
Date Wed, 23 Oct 2002 21:43:54 GMT
>
>symantec has several listed,
>http://symantec.com
>search their databse for javascript virus.


Symantec has one listed (actualy a trojan, not a virus) which 
requires you to have an ActiveX control.  Actually, the viruse is a 
Visual basic script.

http://securityresponse.symantec.com/avcenter/venc/data/vbs.kidarcade.f.html

The only other response to a search on Symantec's site for 
"javascript virus" is a pdf file, 
http://enterprisesecurity.symantec.com/PDF/Fact_Fic.pdf

which, if one reads the page or so on javascript (which is co-mingled 
with VBscript), it's shown that you have to have some sort of broken 
component (an activeX control).

JavaScript was created from the begining to run in a sandbox.  It 
could not access the OS filesystem in any way, short of commanding 
the browser to do something like open a window and go to a url, which 
could download a file (which one would probably notice).  Most of the 
inherent security flaws in JavaScript (like sending email, reading 
directories, tracking history, and the really nasty one, the "stuck 
OnLoad() defect) went away with the arrival of NS3.0b.  I remember 
the day well, and there was much rejoicing (yeah).  Unless you're 
using a REALLY old browser ('cept not quite too old, as, obviously, 
lynx or Mosaic don't have the problem), you need to have some sort of 
defect in an optional extra that really shoudln't exist anyway.

Remember the old Coke "free cupholder" activeX thing?  That should 
have made it obvious to everyone that the concept of activeX was a 
Bad Thing.  Something is broken, to be sure.  But let's point the 
finger in the right place (and that place is not JavaScript, any more 
than it was Perl's fault I inadvertantly hosed all the file 
permisions on my DAV server.





-- 
Chad Gard, KB9WXQ
INCHASE: http://www.inchase.org  Co-founder
INSWA: http://www.insw.org Unit #21


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message